cue.dev/x/kyverno@v0.4.0

clustercleanuppolicy/v2beta1/schema.cue raw

  1package v2beta1
  2
  3import (
  4	"time"
  5	"strings"
  6)
  7
  8// ClusterCleanupPolicy defines rule for resource cleanup.
  9#ClusterCleanupPolicy: {
 10	_embeddedResource
 11
 12	// APIVersion defines the versioned schema of this representation
 13	// of an object.
 14	// Servers should convert recognized schemas to the latest
 15	// internal value, and
 16	// may reject unrecognized values.
 17	// More info:
 18	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
 19	"apiVersion"?: string
 20
 21	// Kind is a string value representing the REST resource this
 22	// object represents.
 23	// Servers may infer this from the endpoint the client submits
 24	// requests to.
 25	// Cannot be updated.
 26	// In CamelCase.
 27	// More info:
 28	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 29	"kind"?: string
 30	"metadata"?: {}
 31
 32	// Spec declares policy behaviors.
 33	"spec"!: {
 34		// Conditions defines the conditions used to select the resources
 35		// which will be cleaned up.
 36		"conditions"?: {
 37			// AllConditions enable variable-based conditional rule execution.
 38			// This is useful for
 39			// finer control of when an rule is applied. A condition can
 40			// reference object data
 41			// using JMESPath notation.
 42			// Here, all of the conditions need to pass.
 43			"all"?: [...{
 44				// Key is the context entry (using JMESPath) for conditional rule
 45				// evaluation.
 46				"key"?: null | bool | number | string | [...] | {
 47					...
 48				}
 49
 50				// Message is an optional display message
 51				"message"?: string
 52
 53				// Operator is the conditional operation to perform. Valid
 54				// operators are:
 55				// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
 56				// GreaterThanOrEquals,
 57				// GreaterThan, LessThanOrEquals, LessThan,
 58				// DurationGreaterThanOrEquals, DurationGreaterThan,
 59				// DurationLessThanOrEquals, DurationLessThan
 60				"operator"?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
 61
 62				// Value is the conditional value, or set of values. The values
 63				// can be fixed set
 64				// or can be variables declared using JMESPath.
 65				"value"?: null | bool | number | string | [...] | {
 66					...
 67				}
 68			}]
 69
 70			// AnyConditions enable variable-based conditional rule execution.
 71			// This is useful for
 72			// finer control of when an rule is applied. A condition can
 73			// reference object data
 74			// using JMESPath notation.
 75			// Here, at least one of the conditions need to pass.
 76			"any"?: [...{
 77				// Key is the context entry (using JMESPath) for conditional rule
 78				// evaluation.
 79				"key"?: null | bool | number | string | [...] | {
 80					...
 81				}
 82
 83				// Message is an optional display message
 84				"message"?: string
 85
 86				// Operator is the conditional operation to perform. Valid
 87				// operators are:
 88				// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
 89				// GreaterThanOrEquals,
 90				// GreaterThan, LessThanOrEquals, LessThan,
 91				// DurationGreaterThanOrEquals, DurationGreaterThan,
 92				// DurationLessThanOrEquals, DurationLessThan
 93				"operator"?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
 94
 95				// Value is the conditional value, or set of values. The values
 96				// can be fixed set
 97				// or can be variables declared using JMESPath.
 98				"value"?: null | bool | number | string | [...] | {
 99					...
100				}
101			}]
102		}
103
104		// Context defines variables and data sources that can be used
105		// during rule execution.
106		"context"?: [...matchN(1, [{
107			"configMap"!: _
108		}, {
109			"apiCall"!: _
110		}, {
111			"imageRegistry"!: _
112		}, {
113			"variable"!: _
114		}, {
115			"globalReference"!: _
116		}]) & {
117			// APICall is an HTTP request to the Kubernetes API server, or
118			// other JSON web service.
119			// The data returned is stored in the context with the name for
120			// the context entry.
121			"apiCall"?: {
122				// The data object specifies the POST data sent to the server.
123				// Only applicable when the method field is set to POST.
124				"data"?: [...{
125					// Key is a unique identifier for the data value
126					"key"!: string
127
128					// Value is the data value
129					"value"!: null | bool | number | string | [...] | {
130						...
131					}
132				}]
133
134				// Default is an optional arbitrary JSON object that the context
135				// value is set to, if the apiCall returns error.
136				"default"?: null | bool | number | string | [...] | {
137					...
138				}
139
140				// JMESPath is an optional JSON Match Expression that can be used
141				// to
142				// transform the JSON response returned from the server. For
143				// example
144				// a JMESPath of "items | length(@)" applied to the API server
145				// response
146				// for the URLPath "/apis/apps/v1/deployments" will return the
147				// total count
148				// of deployments across all namespaces.
149				"jmesPath"?: string
150
151				// Method is the HTTP request type (GET or POST). Defaults to GET.
152				"method"?: "GET" | "POST"
153
154				// Service is an API call to a JSON web service.
155				// This is used for non-Kubernetes API server calls.
156				// It's mutually exclusive with the URLPath field.
157				"service"?: {
158					// CABundle is a PEM encoded CA bundle which will be used to
159					// validate
160					// the server certificate.
161					"caBundle"?: string
162
163					// Headers is a list of optional HTTP headers to be included in
164					// the request.
165					"headers"?: [...{
166						// Key is the header key
167						"key"!: string
168
169						// Value is the header value
170						"value"!: string
171					}]
172
173					// URL is the JSON web service URL. A typical form is
174					// `https://{service}.{namespace}:{port}/{path}`.
175					"url"!: string
176				}
177
178				// URLPath is the URL path to be used in the HTTP GET or POST
179				// request to the
180				// Kubernetes API server (e.g. "/api/v1/namespaces" or
181				// "/apis/apps/v1/deployments").
182				// The format required is the same format used by the `kubectl get
183				// --raw` command.
184				// See
185				// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
186				// for details.
187				// It's mutually exclusive with the Service field.
188				"urlPath"?: string
189			}
190
191			// ConfigMap is the ConfigMap reference.
192			"configMap"?: {
193				// Name is the ConfigMap name.
194				"name"!: string
195
196				// Namespace is the ConfigMap namespace.
197				"namespace"?: string
198			}
199
200			// GlobalContextEntryReference is a reference to a cached global
201			// context entry.
202			"globalReference"?: {
203				// JMESPath is an optional JSON Match Expression that can be used
204				// to
205				// transform the JSON response returned from the server. For
206				// example
207				// a JMESPath of "items | length(@)" applied to the API server
208				// response
209				// for the URLPath "/apis/apps/v1/deployments" will return the
210				// total count
211				// of deployments across all namespaces.
212				"jmesPath"?: string
213
214				// Name of the global context entry
215				"name"!: string
216			}
217
218			// ImageRegistry defines requests to an OCI/Docker V2 registry to
219			// fetch image
220			// details.
221			"imageRegistry"?: {
222				// ImageRegistryCredentials provides credentials that will be used
223				// for authentication with registry
224				"imageRegistryCredentials"?: {
225					// AllowInsecureRegistry allows insecure access to a registry.
226					"allowInsecureRegistry"?: bool
227
228					// Providers specifies a list of OCI Registry names, whose
229					// authentication providers are provided.
230					// It can be of one of these values:
231					// default,google,azure,amazon,github.
232					"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
233
234					// Secrets specifies a list of secrets that are provided for
235					// credentials.
236					// Secrets must live in the Kyverno namespace.
237					"secrets"?: [...string]
238				}
239
240				// JMESPath is an optional JSON Match Expression that can be used
241				// to
242				// transform the ImageData struct returned as a result of
243				// processing
244				// the image reference.
245				"jmesPath"?: string
246
247				// Reference is image reference to a container image in the
248				// registry.
249				// Example: ghcr.io/kyverno/kyverno:latest
250				"reference"!: string
251			}
252
253			// Name is the variable name.
254			"name"!: string
255
256			// Variable defines an arbitrary JMESPath context variable that
257			// can be defined inline.
258			"variable"?: {
259				// Default is an optional arbitrary JSON object that the variable
260				// may take if the JMESPath
261				// expression evaluates to nil
262				"default"?: null | bool | number | string | [...] | {
263					...
264				}
265
266				// JMESPath is an optional JMESPath Expression that can be used to
267				// transform the variable.
268				"jmesPath"?: string
269
270				// Value is any arbitrary JSON object representable in YAML or
271				// JSON form.
272				"value"?: null | bool | number | string | [...] | {
273					...
274				}
275			}
276		}]
277
278		// ExcludeResources defines when cleanuppolicy should not be
279		// applied. The exclude
280		// criteria can include resource information (e.g. kind, name,
281		// namespace, labels)
282		// and admission review request information like the name or role.
283		"exclude"?: matchN(0, [null | bool | number | string | [...] | {
284			"any"!: _
285			"all"!: _
286		}]) & {
287			// All allows specifying resources which will be ANDed
288			"all"?: [...{
289				// ClusterRoles is the list of cluster-wide role names for the
290				// user.
291				"clusterRoles"?: [...string]
292
293				// ResourceDescription contains information about the resource
294				// being created or modified.
295				"resources"?: matchN(0, [null | bool | number | string | [...] | {
296					"name"!:  _
297					"names"!: _
298				}]) & {
299					// Annotations is a map of annotations (key-value pairs of type
300					// string). Annotation keys
301					// and values support the wildcard characters "*" (matches zero or
302					// many characters) and
303					// "?" (matches at least one character).
304					"annotations"?: [string]: string
305
306					// Kinds is a list of resource kinds.
307					"kinds"?: [...string]
308
309					// Name is the name of the resource. The name supports wildcard
310					// characters
311					// "*" (matches zero or many characters) and "?" (at least one
312					// character).
313					// NOTE: "Name" is being deprecated in favor of "Names".
314					"name"?: string
315
316					// Names are the names of the resources. Each name supports
317					// wildcard characters
318					// "*" (matches zero or many characters) and "?" (at least one
319					// character).
320					"names"?: [...string]
321
322					// NamespaceSelector is a label selector for the resource
323					// namespace. Label keys and values
324					// in `matchLabels` support the wildcard characters `*` (matches
325					// zero or many characters)
326					// and `?` (matches one character).Wildcards allows writing label
327					// selectors like
328					// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
329					// any key and value but
330					// does not match an empty label set.
331					"namespaceSelector"?: {
332						// matchExpressions is a list of label selector requirements. The
333						// requirements are ANDed.
334						"matchExpressions"?: [...{
335							// key is the label key that the selector applies to.
336							"key"!: string
337
338							// operator represents a key's relationship to a set of values.
339							// Valid operators are In, NotIn, Exists and DoesNotExist.
340							"operator"!: string
341
342							// values is an array of string values. If the operator is In or
343							// NotIn,
344							// the values array must be non-empty. If the operator is Exists
345							// or DoesNotExist,
346							// the values array must be empty. This array is replaced during a
347							// strategic
348							// merge patch.
349							"values"?: [...string]
350						}]
351
352						// matchLabels is a map of {key,value} pairs. A single {key,value}
353						// in the matchLabels
354						// map is equivalent to an element of matchExpressions, whose key
355						// field is "key", the
356						// operator is "In", and the values array contains only "value".
357						// The requirements are ANDed.
358						"matchLabels"?: {
359							[string]: string
360						}
361					}
362
363					// Namespaces is a list of namespaces names. Each name supports
364					// wildcard characters
365					// "*" (matches zero or many characters) and "?" (at least one
366					// character).
367					"namespaces"?: [...string]
368
369					// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
370					// "DELETE"], which are used to match a specific action.
371					"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
372
373					// Selector is a label selector. Label keys and values in
374					// `matchLabels` support the wildcard
375					// characters `*` (matches zero or many characters) and `?`
376					// (matches one character).
377					// Wildcards allows writing label selectors like
378					// ["storage.k8s.io/*": "*"]. Note that
379					// using ["*" : "*"] matches any key and value but does not match
380					// an empty label set.
381					"selector"?: {
382						// matchExpressions is a list of label selector requirements. The
383						// requirements are ANDed.
384						"matchExpressions"?: [...{
385							// key is the label key that the selector applies to.
386							"key"!: string
387
388							// operator represents a key's relationship to a set of values.
389							// Valid operators are In, NotIn, Exists and DoesNotExist.
390							"operator"!: string
391
392							// values is an array of string values. If the operator is In or
393							// NotIn,
394							// the values array must be non-empty. If the operator is Exists
395							// or DoesNotExist,
396							// the values array must be empty. This array is replaced during a
397							// strategic
398							// merge patch.
399							"values"?: [...string]
400						}]
401
402						// matchLabels is a map of {key,value} pairs. A single {key,value}
403						// in the matchLabels
404						// map is equivalent to an element of matchExpressions, whose key
405						// field is "key", the
406						// operator is "In", and the values array contains only "value".
407						// The requirements are ANDed.
408						"matchLabels"?: {
409							[string]: string
410						}
411					}
412				}
413
414				// Roles is the list of namespaced role names for the user.
415				"roles"?: [...string]
416
417				// Subjects is the list of subject names like users, user groups,
418				// and service accounts.
419				"subjects"?: [...{
420					// APIGroup holds the API group of the referenced subject.
421					// Defaults to "" for ServiceAccount subjects.
422					// Defaults to "rbac.authorization.k8s.io" for User and Group
423					// subjects.
424					"apiGroup"?: string
425
426					// Kind of object being referenced. Values defined by this API
427					// group are "User", "Group", and "ServiceAccount".
428					// If the Authorizer does not recognized the kind value, the
429					// Authorizer should report an error.
430					"kind"!: string
431
432					// Name of the object being referenced.
433					"name"!: string
434
435					// Namespace of the referenced object. If the object kind is
436					// non-namespace, such as "User" or "Group", and this value is
437					// not empty
438					// the Authorizer should report an error.
439					"namespace"?: string
440				}]
441			}]
442
443			// Any allows specifying resources which will be ORed
444			"any"?: [...{
445				// ClusterRoles is the list of cluster-wide role names for the
446				// user.
447				"clusterRoles"?: [...string]
448
449				// ResourceDescription contains information about the resource
450				// being created or modified.
451				"resources"?: matchN(0, [null | bool | number | string | [...] | {
452					"name"!:  _
453					"names"!: _
454				}]) & {
455					// Annotations is a map of annotations (key-value pairs of type
456					// string). Annotation keys
457					// and values support the wildcard characters "*" (matches zero or
458					// many characters) and
459					// "?" (matches at least one character).
460					"annotations"?: [string]: string
461
462					// Kinds is a list of resource kinds.
463					"kinds"?: [...string]
464
465					// Name is the name of the resource. The name supports wildcard
466					// characters
467					// "*" (matches zero or many characters) and "?" (at least one
468					// character).
469					// NOTE: "Name" is being deprecated in favor of "Names".
470					"name"?: string
471
472					// Names are the names of the resources. Each name supports
473					// wildcard characters
474					// "*" (matches zero or many characters) and "?" (at least one
475					// character).
476					"names"?: [...string]
477
478					// NamespaceSelector is a label selector for the resource
479					// namespace. Label keys and values
480					// in `matchLabels` support the wildcard characters `*` (matches
481					// zero or many characters)
482					// and `?` (matches one character).Wildcards allows writing label
483					// selectors like
484					// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
485					// any key and value but
486					// does not match an empty label set.
487					"namespaceSelector"?: {
488						// matchExpressions is a list of label selector requirements. The
489						// requirements are ANDed.
490						"matchExpressions"?: [...{
491							// key is the label key that the selector applies to.
492							"key"!: string
493
494							// operator represents a key's relationship to a set of values.
495							// Valid operators are In, NotIn, Exists and DoesNotExist.
496							"operator"!: string
497
498							// values is an array of string values. If the operator is In or
499							// NotIn,
500							// the values array must be non-empty. If the operator is Exists
501							// or DoesNotExist,
502							// the values array must be empty. This array is replaced during a
503							// strategic
504							// merge patch.
505							"values"?: [...string]
506						}]
507
508						// matchLabels is a map of {key,value} pairs. A single {key,value}
509						// in the matchLabels
510						// map is equivalent to an element of matchExpressions, whose key
511						// field is "key", the
512						// operator is "In", and the values array contains only "value".
513						// The requirements are ANDed.
514						"matchLabels"?: {
515							[string]: string
516						}
517					}
518
519					// Namespaces is a list of namespaces names. Each name supports
520					// wildcard characters
521					// "*" (matches zero or many characters) and "?" (at least one
522					// character).
523					"namespaces"?: [...string]
524
525					// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
526					// "DELETE"], which are used to match a specific action.
527					"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
528
529					// Selector is a label selector. Label keys and values in
530					// `matchLabels` support the wildcard
531					// characters `*` (matches zero or many characters) and `?`
532					// (matches one character).
533					// Wildcards allows writing label selectors like
534					// ["storage.k8s.io/*": "*"]. Note that
535					// using ["*" : "*"] matches any key and value but does not match
536					// an empty label set.
537					"selector"?: {
538						// matchExpressions is a list of label selector requirements. The
539						// requirements are ANDed.
540						"matchExpressions"?: [...{
541							// key is the label key that the selector applies to.
542							"key"!: string
543
544							// operator represents a key's relationship to a set of values.
545							// Valid operators are In, NotIn, Exists and DoesNotExist.
546							"operator"!: string
547
548							// values is an array of string values. If the operator is In or
549							// NotIn,
550							// the values array must be non-empty. If the operator is Exists
551							// or DoesNotExist,
552							// the values array must be empty. This array is replaced during a
553							// strategic
554							// merge patch.
555							"values"?: [...string]
556						}]
557
558						// matchLabels is a map of {key,value} pairs. A single {key,value}
559						// in the matchLabels
560						// map is equivalent to an element of matchExpressions, whose key
561						// field is "key", the
562						// operator is "In", and the values array contains only "value".
563						// The requirements are ANDed.
564						"matchLabels"?: {
565							[string]: string
566						}
567					}
568				}
569
570				// Roles is the list of namespaced role names for the user.
571				"roles"?: [...string]
572
573				// Subjects is the list of subject names like users, user groups,
574				// and service accounts.
575				"subjects"?: [...{
576					// APIGroup holds the API group of the referenced subject.
577					// Defaults to "" for ServiceAccount subjects.
578					// Defaults to "rbac.authorization.k8s.io" for User and Group
579					// subjects.
580					"apiGroup"?: string
581
582					// Kind of object being referenced. Values defined by this API
583					// group are "User", "Group", and "ServiceAccount".
584					// If the Authorizer does not recognized the kind value, the
585					// Authorizer should report an error.
586					"kind"!: string
587
588					// Name of the object being referenced.
589					"name"!: string
590
591					// Namespace of the referenced object. If the object kind is
592					// non-namespace, such as "User" or "Group", and this value is
593					// not empty
594					// the Authorizer should report an error.
595					"namespace"?: string
596				}]
597			}]
598		}
599
600		// MatchResources defines when cleanuppolicy should be applied.
601		// The match
602		// criteria can include resource information (e.g. kind, name,
603		// namespace, labels)
604		// and admission review request information like the user name or
605		// role.
606		// At least one kind is required.
607		"match"!: matchN(0, [null | bool | number | string | [...] | {
608			"any"!: _
609			"all"!: _
610		}]) & {
611			// All allows specifying resources which will be ANDed
612			"all"?: [...{
613				// ClusterRoles is the list of cluster-wide role names for the
614				// user.
615				"clusterRoles"?: [...string]
616
617				// ResourceDescription contains information about the resource
618				// being created or modified.
619				"resources"?: matchN(0, [null | bool | number | string | [...] | {
620					"name"!:  _
621					"names"!: _
622				}]) & {
623					// Annotations is a map of annotations (key-value pairs of type
624					// string). Annotation keys
625					// and values support the wildcard characters "*" (matches zero or
626					// many characters) and
627					// "?" (matches at least one character).
628					"annotations"?: [string]: string
629
630					// Kinds is a list of resource kinds.
631					"kinds"?: [...string]
632
633					// Name is the name of the resource. The name supports wildcard
634					// characters
635					// "*" (matches zero or many characters) and "?" (at least one
636					// character).
637					// NOTE: "Name" is being deprecated in favor of "Names".
638					"name"?: string
639
640					// Names are the names of the resources. Each name supports
641					// wildcard characters
642					// "*" (matches zero or many characters) and "?" (at least one
643					// character).
644					"names"?: [...string]
645
646					// NamespaceSelector is a label selector for the resource
647					// namespace. Label keys and values
648					// in `matchLabels` support the wildcard characters `*` (matches
649					// zero or many characters)
650					// and `?` (matches one character).Wildcards allows writing label
651					// selectors like
652					// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
653					// any key and value but
654					// does not match an empty label set.
655					"namespaceSelector"?: {
656						// matchExpressions is a list of label selector requirements. The
657						// requirements are ANDed.
658						"matchExpressions"?: [...{
659							// key is the label key that the selector applies to.
660							"key"!: string
661
662							// operator represents a key's relationship to a set of values.
663							// Valid operators are In, NotIn, Exists and DoesNotExist.
664							"operator"!: string
665
666							// values is an array of string values. If the operator is In or
667							// NotIn,
668							// the values array must be non-empty. If the operator is Exists
669							// or DoesNotExist,
670							// the values array must be empty. This array is replaced during a
671							// strategic
672							// merge patch.
673							"values"?: [...string]
674						}]
675
676						// matchLabels is a map of {key,value} pairs. A single {key,value}
677						// in the matchLabels
678						// map is equivalent to an element of matchExpressions, whose key
679						// field is "key", the
680						// operator is "In", and the values array contains only "value".
681						// The requirements are ANDed.
682						"matchLabels"?: {
683							[string]: string
684						}
685					}
686
687					// Namespaces is a list of namespaces names. Each name supports
688					// wildcard characters
689					// "*" (matches zero or many characters) and "?" (at least one
690					// character).
691					"namespaces"?: [...string]
692
693					// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
694					// "DELETE"], which are used to match a specific action.
695					"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
696
697					// Selector is a label selector. Label keys and values in
698					// `matchLabels` support the wildcard
699					// characters `*` (matches zero or many characters) and `?`
700					// (matches one character).
701					// Wildcards allows writing label selectors like
702					// ["storage.k8s.io/*": "*"]. Note that
703					// using ["*" : "*"] matches any key and value but does not match
704					// an empty label set.
705					"selector"?: {
706						// matchExpressions is a list of label selector requirements. The
707						// requirements are ANDed.
708						"matchExpressions"?: [...{
709							// key is the label key that the selector applies to.
710							"key"!: string
711
712							// operator represents a key's relationship to a set of values.
713							// Valid operators are In, NotIn, Exists and DoesNotExist.
714							"operator"!: string
715
716							// values is an array of string values. If the operator is In or
717							// NotIn,
718							// the values array must be non-empty. If the operator is Exists
719							// or DoesNotExist,
720							// the values array must be empty. This array is replaced during a
721							// strategic
722							// merge patch.
723							"values"?: [...string]
724						}]
725
726						// matchLabels is a map of {key,value} pairs. A single {key,value}
727						// in the matchLabels
728						// map is equivalent to an element of matchExpressions, whose key
729						// field is "key", the
730						// operator is "In", and the values array contains only "value".
731						// The requirements are ANDed.
732						"matchLabels"?: {
733							[string]: string
734						}
735					}
736				}
737
738				// Roles is the list of namespaced role names for the user.
739				"roles"?: [...string]
740
741				// Subjects is the list of subject names like users, user groups,
742				// and service accounts.
743				"subjects"?: [...{
744					// APIGroup holds the API group of the referenced subject.
745					// Defaults to "" for ServiceAccount subjects.
746					// Defaults to "rbac.authorization.k8s.io" for User and Group
747					// subjects.
748					"apiGroup"?: string
749
750					// Kind of object being referenced. Values defined by this API
751					// group are "User", "Group", and "ServiceAccount".
752					// If the Authorizer does not recognized the kind value, the
753					// Authorizer should report an error.
754					"kind"!: string
755
756					// Name of the object being referenced.
757					"name"!: string
758
759					// Namespace of the referenced object. If the object kind is
760					// non-namespace, such as "User" or "Group", and this value is
761					// not empty
762					// the Authorizer should report an error.
763					"namespace"?: string
764				}]
765			}]
766
767			// Any allows specifying resources which will be ORed
768			"any"?: [...{
769				// ClusterRoles is the list of cluster-wide role names for the
770				// user.
771				"clusterRoles"?: [...string]
772
773				// ResourceDescription contains information about the resource
774				// being created or modified.
775				"resources"?: matchN(0, [null | bool | number | string | [...] | {
776					"name"!:  _
777					"names"!: _
778				}]) & {
779					// Annotations is a map of annotations (key-value pairs of type
780					// string). Annotation keys
781					// and values support the wildcard characters "*" (matches zero or
782					// many characters) and
783					// "?" (matches at least one character).
784					"annotations"?: [string]: string
785
786					// Kinds is a list of resource kinds.
787					"kinds"?: [...string]
788
789					// Name is the name of the resource. The name supports wildcard
790					// characters
791					// "*" (matches zero or many characters) and "?" (at least one
792					// character).
793					// NOTE: "Name" is being deprecated in favor of "Names".
794					"name"?: string
795
796					// Names are the names of the resources. Each name supports
797					// wildcard characters
798					// "*" (matches zero or many characters) and "?" (at least one
799					// character).
800					"names"?: [...string]
801
802					// NamespaceSelector is a label selector for the resource
803					// namespace. Label keys and values
804					// in `matchLabels` support the wildcard characters `*` (matches
805					// zero or many characters)
806					// and `?` (matches one character).Wildcards allows writing label
807					// selectors like
808					// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
809					// any key and value but
810					// does not match an empty label set.
811					"namespaceSelector"?: {
812						// matchExpressions is a list of label selector requirements. The
813						// requirements are ANDed.
814						"matchExpressions"?: [...{
815							// key is the label key that the selector applies to.
816							"key"!: string
817
818							// operator represents a key's relationship to a set of values.
819							// Valid operators are In, NotIn, Exists and DoesNotExist.
820							"operator"!: string
821
822							// values is an array of string values. If the operator is In or
823							// NotIn,
824							// the values array must be non-empty. If the operator is Exists
825							// or DoesNotExist,
826							// the values array must be empty. This array is replaced during a
827							// strategic
828							// merge patch.
829							"values"?: [...string]
830						}]
831
832						// matchLabels is a map of {key,value} pairs. A single {key,value}
833						// in the matchLabels
834						// map is equivalent to an element of matchExpressions, whose key
835						// field is "key", the
836						// operator is "In", and the values array contains only "value".
837						// The requirements are ANDed.
838						"matchLabels"?: {
839							[string]: string
840						}
841					}
842
843					// Namespaces is a list of namespaces names. Each name supports
844					// wildcard characters
845					// "*" (matches zero or many characters) and "?" (at least one
846					// character).
847					"namespaces"?: [...string]
848
849					// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
850					// "DELETE"], which are used to match a specific action.
851					"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
852
853					// Selector is a label selector. Label keys and values in
854					// `matchLabels` support the wildcard
855					// characters `*` (matches zero or many characters) and `?`
856					// (matches one character).
857					// Wildcards allows writing label selectors like
858					// ["storage.k8s.io/*": "*"]. Note that
859					// using ["*" : "*"] matches any key and value but does not match
860					// an empty label set.
861					"selector"?: {
862						// matchExpressions is a list of label selector requirements. The
863						// requirements are ANDed.
864						"matchExpressions"?: [...{
865							// key is the label key that the selector applies to.
866							"key"!: string
867
868							// operator represents a key's relationship to a set of values.
869							// Valid operators are In, NotIn, Exists and DoesNotExist.
870							"operator"!: string
871
872							// values is an array of string values. If the operator is In or
873							// NotIn,
874							// the values array must be non-empty. If the operator is Exists
875							// or DoesNotExist,
876							// the values array must be empty. This array is replaced during a
877							// strategic
878							// merge patch.
879							"values"?: [...string]
880						}]
881
882						// matchLabels is a map of {key,value} pairs. A single {key,value}
883						// in the matchLabels
884						// map is equivalent to an element of matchExpressions, whose key
885						// field is "key", the
886						// operator is "In", and the values array contains only "value".
887						// The requirements are ANDed.
888						"matchLabels"?: {
889							[string]: string
890						}
891					}
892				}
893
894				// Roles is the list of namespaced role names for the user.
895				"roles"?: [...string]
896
897				// Subjects is the list of subject names like users, user groups,
898				// and service accounts.
899				"subjects"?: [...{
900					// APIGroup holds the API group of the referenced subject.
901					// Defaults to "" for ServiceAccount subjects.
902					// Defaults to "rbac.authorization.k8s.io" for User and Group
903					// subjects.
904					"apiGroup"?: string
905
906					// Kind of object being referenced. Values defined by this API
907					// group are "User", "Group", and "ServiceAccount".
908					// If the Authorizer does not recognized the kind value, the
909					// Authorizer should report an error.
910					"kind"!: string
911
912					// Name of the object being referenced.
913					"name"!: string
914
915					// Namespace of the referenced object. If the object kind is
916					// non-namespace, such as "User" or "Group", and this value is
917					// not empty
918					// the Authorizer should report an error.
919					"namespace"?: string
920				}]
921			}]
922		}
923
924		// The schedule in Cron format
925		"schedule"!: string
926	}
927
928	// Status contains policy runtime data.
929	"status"?: {
930		"conditions"?: [...{
931			// lastTransitionTime is the last time the condition transitioned
932			// from one status to another.
933			// This should be when the underlying condition changed. If that
934			// is not known, then using the time when the API field changed
935			// is acceptable.
936			"lastTransitionTime"!: time.Time
937
938			// message is a human readable message indicating details about
939			// the transition.
940			// This may be an empty string.
941			"message"!: strings.MaxRunes(
942					32768)
943
944			// observedGeneration represents the .metadata.generation that the
945			// condition was set based upon.
946			// For instance, if .metadata.generation is currently 12, but the
947			// .status.conditions[x].observedGeneration is 9, the condition
948			// is out of date
949			// with respect to the current state of the instance.
950			"observedGeneration"?: int64 & int & >=0
951
952			// reason contains a programmatic identifier indicating the reason
953			// for the condition's last transition.
954			// Producers of specific condition types may define expected
955			// values and meanings for this field,
956			// and whether the values are considered a guaranteed API.
957			// The value should be a CamelCase string.
958			// This field may not be empty.
959			"reason"!: strings.MaxRunes(
960					1024) & strings.MinRunes(
961					1) & =~"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"
962
963			// status of the condition, one of True, False, Unknown.
964			"status"!: "True" | "False" | "Unknown"
965
966			// type of condition in CamelCase or in foo.example.com/CamelCase.
967			"type"!: strings.MaxRunes(
968					316) & =~"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"
969		}]
970		"lastExecutionTime"?: time.Time
971	}
972
973	_embeddedResource: {
974		"apiVersion"!: string
975		"kind"!:       string
976		"metadata"?: {
977			...
978		}
979	}
980	apiVersion: "kyverno.io/v2beta1"
981	kind:       "ClusterCleanupPolicy"
982	metadata!: {
983		"name"!:      string
984		"namespace"?: string
985		"labels"?: {
986			[string]: string
987		}
988		"annotations"?: {
989			[string]: string
990		}
991		...
992	}
993}