cue.dev/x/kyverno@v0.4.0

clusterpolicy/v1/schema.cue raw

   1package v1
   2
   3import (
   4	"strings"
   5	"time"
   6)
   7
   8// ClusterPolicy declares validation, mutation, and generation
   9// behaviors for matching resources.
  10#ClusterPolicy: {
  11	_embeddedResource
  12
  13	// APIVersion defines the versioned schema of this representation
  14	// of an object.
  15	// Servers should convert recognized schemas to the latest
  16	// internal value, and
  17	// may reject unrecognized values.
  18	// More info:
  19	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  20	"apiVersion"?: string
  21
  22	// Kind is a string value representing the REST resource this
  23	// object represents.
  24	// Servers may infer this from the endpoint the client submits
  25	// requests to.
  26	// Cannot be updated.
  27	// In CamelCase.
  28	// More info:
  29	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  30	"kind"?: string
  31	"metadata"?: {}
  32
  33	// Spec declares policy behaviors.
  34	"spec"!: {
  35		// Admission controls if rules are applied during admission.
  36		// Optional. Default value is "true".
  37		"admission"?: bool
  38
  39		// ApplyRules controls how rules in a policy are applied. Rule are
  40		// processed in
  41		// the order of declaration. When set to `One` processing stops
  42		// after a rule has
  43		// been applied i.e. the rule matches and results in a pass, fail,
  44		// or error. When
  45		// set to `All` all rules in the policy are processed. The default
  46		// is `All`.
  47		"applyRules"?: "All" | "One"
  48
  49		// Background controls if rules are applied to existing resources
  50		// during a background scan.
  51		// Optional. Default value is "true". The value must be set to
  52		// "false" if the policy rule
  53		// uses variables that are only available in the admission review
  54		// request (e.g. user name).
  55		"background"?: bool
  56
  57		// EmitWarning enables API response warnings for mutate policy
  58		// rules or validate policy rules with validationFailureAction
  59		// set to Audit.
  60		// Enabling this option will extend admission request processing
  61		// times. The default value is "false".
  62		"emitWarning"?: bool
  63
  64		// Deprecated, use failurePolicy under the webhookConfiguration
  65		// instead.
  66		"failurePolicy"?: "Ignore" | "Fail"
  67
  68		// Deprecated, use generateExisting under the generate rule
  69		// instead
  70		"generateExisting"?: bool
  71
  72		// Deprecated, use generateExisting instead
  73		"generateExistingOnPolicyUpdate"?: bool
  74
  75		// Deprecated, use mutateExistingOnPolicyUpdate under the mutate
  76		// rule instead
  77		"mutateExistingOnPolicyUpdate"?: bool
  78
  79		// Rules is a list of Rule instances. A Policy contains multiple
  80		// rules and
  81		// each rule can validate, mutate, or generate resources.
  82		"rules"?: [...{
  83			// CELPreconditions are used to determine if a policy rule should
  84			// be applied by evaluating a
  85			// set of CEL conditions. It can only be used with the
  86			// validate.cel subrule
  87			"celPreconditions"?: [...{
  88				// Expression represents the expression which will be evaluated by
  89				// CEL. Must evaluate to bool.
  90				// CEL expressions have access to the contents of the
  91				// AdmissionRequest and Authorizer, organized into CEL variables:
  92				//
  93				// 'object' - The object from the incoming request. The value is
  94				// null for DELETE requests.
  95				// 'oldObject' - The existing object. The value is null for CREATE
  96				// requests.
  97				// 'request' - Attributes of the admission
  98				// request(/pkg/apis/admission/types.go#AdmissionRequest).
  99				// 'authorizer' - A CEL Authorizer. May be used to perform
 100				// authorization checks for the principal (user or service
 101				// account) of the request.
 102				// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
 103				// 'authorizer.requestResource' - A CEL ResourceCheck constructed
 104				// from the 'authorizer' and configured with the
 105				// request resource.
 106				// Documentation on CEL:
 107				// https://kubernetes.io/docs/reference/using-api/cel/
 108				//
 109				// Required.
 110				"expression"!: string
 111
 112				// Name is an identifier for this match condition, used for
 113				// strategic merging of MatchConditions,
 114				// as well as providing an identifier for logging purposes. A good
 115				// name should be descriptive of
 116				// the associated expression.
 117				// Name must be a qualified name consisting of alphanumeric
 118				// characters, '-', '_' or '.', and
 119				// must start and end with an alphanumeric character (e.g.
 120				// 'MyName', or 'my.name', or
 121				// '123-abc', regex used for validation is
 122				// '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
 123				// optional DNS subdomain prefix and '/' (e.g.
 124				// 'example.com/MyName')
 125				//
 126				// Required.
 127				"name"!: string
 128			}]
 129
 130			// Context defines variables and data sources that can be used
 131			// during rule execution.
 132			"context"?: [...matchN(1, [{
 133				"configMap"!: _
 134			}, {
 135				"apiCall"!: _
 136			}, {
 137				"imageRegistry"!: _
 138			}, {
 139				"variable"!: _
 140			}, {
 141				"globalReference"!: _
 142			}]) & {
 143				// APICall is an HTTP request to the Kubernetes API server, or
 144				// other JSON web service.
 145				// The data returned is stored in the context with the name for
 146				// the context entry.
 147				"apiCall"?: {
 148					// The data object specifies the POST data sent to the server.
 149					// Only applicable when the method field is set to POST.
 150					"data"?: [...{
 151						// Key is a unique identifier for the data value
 152						"key"!: string
 153
 154						// Value is the data value
 155						"value"!: null | bool | number | string | [...] | {
 156							...
 157						}
 158					}]
 159
 160					// Default is an optional arbitrary JSON object that the context
 161					// value is set to, if the apiCall returns error.
 162					"default"?: null | bool | number | string | [...] | {
 163						...
 164					}
 165
 166					// JMESPath is an optional JSON Match Expression that can be used
 167					// to
 168					// transform the JSON response returned from the server. For
 169					// example
 170					// a JMESPath of "items | length(@)" applied to the API server
 171					// response
 172					// for the URLPath "/apis/apps/v1/deployments" will return the
 173					// total count
 174					// of deployments across all namespaces.
 175					"jmesPath"?: string
 176
 177					// Method is the HTTP request type (GET or POST). Defaults to GET.
 178					"method"?: "GET" | "POST"
 179
 180					// Service is an API call to a JSON web service.
 181					// This is used for non-Kubernetes API server calls.
 182					// It's mutually exclusive with the URLPath field.
 183					"service"?: {
 184						// CABundle is a PEM encoded CA bundle which will be used to
 185						// validate
 186						// the server certificate.
 187						"caBundle"?: string
 188
 189						// Headers is a list of optional HTTP headers to be included in
 190						// the request.
 191						"headers"?: [...{
 192							// Key is the header key
 193							"key"!: string
 194
 195							// Value is the header value
 196							"value"!: string
 197						}]
 198
 199						// URL is the JSON web service URL. A typical form is
 200						// `https://{service}.{namespace}:{port}/{path}`.
 201						"url"!: string
 202					}
 203
 204					// URLPath is the URL path to be used in the HTTP GET or POST
 205					// request to the
 206					// Kubernetes API server (e.g. "/api/v1/namespaces" or
 207					// "/apis/apps/v1/deployments").
 208					// The format required is the same format used by the `kubectl get
 209					// --raw` command.
 210					// See
 211					// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
 212					// for details.
 213					// It's mutually exclusive with the Service field.
 214					"urlPath"?: string
 215				}
 216
 217				// ConfigMap is the ConfigMap reference.
 218				"configMap"?: {
 219					// Name is the ConfigMap name.
 220					"name"!: string
 221
 222					// Namespace is the ConfigMap namespace.
 223					"namespace"?: string
 224				}
 225
 226				// GlobalContextEntryReference is a reference to a cached global
 227				// context entry.
 228				"globalReference"?: {
 229					// JMESPath is an optional JSON Match Expression that can be used
 230					// to
 231					// transform the JSON response returned from the server. For
 232					// example
 233					// a JMESPath of "items | length(@)" applied to the API server
 234					// response
 235					// for the URLPath "/apis/apps/v1/deployments" will return the
 236					// total count
 237					// of deployments across all namespaces.
 238					"jmesPath"?: string
 239
 240					// Name of the global context entry
 241					"name"!: string
 242				}
 243
 244				// ImageRegistry defines requests to an OCI/Docker V2 registry to
 245				// fetch image
 246				// details.
 247				"imageRegistry"?: {
 248					// ImageRegistryCredentials provides credentials that will be used
 249					// for authentication with registry
 250					"imageRegistryCredentials"?: {
 251						// AllowInsecureRegistry allows insecure access to a registry.
 252						"allowInsecureRegistry"?: bool
 253
 254						// Providers specifies a list of OCI Registry names, whose
 255						// authentication providers are provided.
 256						// It can be of one of these values:
 257						// default,google,azure,amazon,github.
 258						"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
 259
 260						// Secrets specifies a list of secrets that are provided for
 261						// credentials.
 262						// Secrets must live in the Kyverno namespace.
 263						"secrets"?: [...string]
 264					}
 265
 266					// JMESPath is an optional JSON Match Expression that can be used
 267					// to
 268					// transform the ImageData struct returned as a result of
 269					// processing
 270					// the image reference.
 271					"jmesPath"?: string
 272
 273					// Reference is image reference to a container image in the
 274					// registry.
 275					// Example: ghcr.io/kyverno/kyverno:latest
 276					"reference"!: string
 277				}
 278
 279				// Name is the variable name.
 280				"name"!: string
 281
 282				// Variable defines an arbitrary JMESPath context variable that
 283				// can be defined inline.
 284				"variable"?: {
 285					// Default is an optional arbitrary JSON object that the variable
 286					// may take if the JMESPath
 287					// expression evaluates to nil
 288					"default"?: null | bool | number | string | [...] | {
 289						...
 290					}
 291
 292					// JMESPath is an optional JMESPath Expression that can be used to
 293					// transform the variable.
 294					"jmesPath"?: string
 295
 296					// Value is any arbitrary JSON object representable in YAML or
 297					// JSON form.
 298					"value"?: null | bool | number | string | [...] | {
 299						...
 300					}
 301				}
 302			}]
 303
 304			// ExcludeResources defines when this policy rule should not be
 305			// applied. The exclude
 306			// criteria can include resource information (e.g. kind, name,
 307			// namespace, labels)
 308			// and admission review request information like the name or role.
 309			"exclude"?: matchN(0, [null | bool | number | string | [...] | {
 310				"any"!: _
 311				"all"!: _
 312			}]) & {
 313				// All allows specifying resources which will be ANDed
 314				"all"?: [...{
 315					// ClusterRoles is the list of cluster-wide role names for the
 316					// user.
 317					"clusterRoles"?: [...string]
 318
 319					// ResourceDescription contains information about the resource
 320					// being created or modified.
 321					"resources"?: matchN(0, [null | bool | number | string | [...] | {
 322						"name"!:  _
 323						"names"!: _
 324					}]) & {
 325						// Annotations is a map of annotations (key-value pairs of type
 326						// string). Annotation keys
 327						// and values support the wildcard characters "*" (matches zero or
 328						// many characters) and
 329						// "?" (matches at least one character).
 330						"annotations"?: [string]: string
 331
 332						// Kinds is a list of resource kinds.
 333						"kinds"?: [...string]
 334
 335						// Name is the name of the resource. The name supports wildcard
 336						// characters
 337						// "*" (matches zero or many characters) and "?" (at least one
 338						// character).
 339						// NOTE: "Name" is being deprecated in favor of "Names".
 340						"name"?: string
 341
 342						// Names are the names of the resources. Each name supports
 343						// wildcard characters
 344						// "*" (matches zero or many characters) and "?" (at least one
 345						// character).
 346						"names"?: [...string]
 347
 348						// NamespaceSelector is a label selector for the resource
 349						// namespace. Label keys and values
 350						// in `matchLabels` support the wildcard characters `*` (matches
 351						// zero or many characters)
 352						// and `?` (matches one character).Wildcards allows writing label
 353						// selectors like
 354						// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
 355						// any key and value but
 356						// does not match an empty label set.
 357						"namespaceSelector"?: {
 358							// matchExpressions is a list of label selector requirements. The
 359							// requirements are ANDed.
 360							"matchExpressions"?: [...{
 361								// key is the label key that the selector applies to.
 362								"key"!: string
 363
 364								// operator represents a key's relationship to a set of values.
 365								// Valid operators are In, NotIn, Exists and DoesNotExist.
 366								"operator"!: string
 367
 368								// values is an array of string values. If the operator is In or
 369								// NotIn,
 370								// the values array must be non-empty. If the operator is Exists
 371								// or DoesNotExist,
 372								// the values array must be empty. This array is replaced during a
 373								// strategic
 374								// merge patch.
 375								"values"?: [...string]
 376							}]
 377
 378							// matchLabels is a map of {key,value} pairs. A single {key,value}
 379							// in the matchLabels
 380							// map is equivalent to an element of matchExpressions, whose key
 381							// field is "key", the
 382							// operator is "In", and the values array contains only "value".
 383							// The requirements are ANDed.
 384							"matchLabels"?: {
 385								[string]: string
 386							}
 387						}
 388
 389						// Namespaces is a list of namespaces names. Each name supports
 390						// wildcard characters
 391						// "*" (matches zero or many characters) and "?" (at least one
 392						// character).
 393						"namespaces"?: [...string]
 394
 395						// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
 396						// "DELETE"], which are used to match a specific action.
 397						"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
 398
 399						// Selector is a label selector. Label keys and values in
 400						// `matchLabels` support the wildcard
 401						// characters `*` (matches zero or many characters) and `?`
 402						// (matches one character).
 403						// Wildcards allows writing label selectors like
 404						// ["storage.k8s.io/*": "*"]. Note that
 405						// using ["*" : "*"] matches any key and value but does not match
 406						// an empty label set.
 407						"selector"?: {
 408							// matchExpressions is a list of label selector requirements. The
 409							// requirements are ANDed.
 410							"matchExpressions"?: [...{
 411								// key is the label key that the selector applies to.
 412								"key"!: string
 413
 414								// operator represents a key's relationship to a set of values.
 415								// Valid operators are In, NotIn, Exists and DoesNotExist.
 416								"operator"!: string
 417
 418								// values is an array of string values. If the operator is In or
 419								// NotIn,
 420								// the values array must be non-empty. If the operator is Exists
 421								// or DoesNotExist,
 422								// the values array must be empty. This array is replaced during a
 423								// strategic
 424								// merge patch.
 425								"values"?: [...string]
 426							}]
 427
 428							// matchLabels is a map of {key,value} pairs. A single {key,value}
 429							// in the matchLabels
 430							// map is equivalent to an element of matchExpressions, whose key
 431							// field is "key", the
 432							// operator is "In", and the values array contains only "value".
 433							// The requirements are ANDed.
 434							"matchLabels"?: {
 435								[string]: string
 436							}
 437						}
 438					}
 439
 440					// Roles is the list of namespaced role names for the user.
 441					"roles"?: [...string]
 442
 443					// Subjects is the list of subject names like users, user groups,
 444					// and service accounts.
 445					"subjects"?: [...{
 446						// APIGroup holds the API group of the referenced subject.
 447						// Defaults to "" for ServiceAccount subjects.
 448						// Defaults to "rbac.authorization.k8s.io" for User and Group
 449						// subjects.
 450						"apiGroup"?: string
 451
 452						// Kind of object being referenced. Values defined by this API
 453						// group are "User", "Group", and "ServiceAccount".
 454						// If the Authorizer does not recognized the kind value, the
 455						// Authorizer should report an error.
 456						"kind"!: string
 457
 458						// Name of the object being referenced.
 459						"name"!: string
 460
 461						// Namespace of the referenced object. If the object kind is
 462						// non-namespace, such as "User" or "Group", and this value is
 463						// not empty
 464						// the Authorizer should report an error.
 465						"namespace"?: string
 466					}]
 467				}]
 468
 469				// Any allows specifying resources which will be ORed
 470				"any"?: [...{
 471					// ClusterRoles is the list of cluster-wide role names for the
 472					// user.
 473					"clusterRoles"?: [...string]
 474
 475					// ResourceDescription contains information about the resource
 476					// being created or modified.
 477					"resources"?: matchN(0, [null | bool | number | string | [...] | {
 478						"name"!:  _
 479						"names"!: _
 480					}]) & {
 481						// Annotations is a map of annotations (key-value pairs of type
 482						// string). Annotation keys
 483						// and values support the wildcard characters "*" (matches zero or
 484						// many characters) and
 485						// "?" (matches at least one character).
 486						"annotations"?: [string]: string
 487
 488						// Kinds is a list of resource kinds.
 489						"kinds"?: [...string]
 490
 491						// Name is the name of the resource. The name supports wildcard
 492						// characters
 493						// "*" (matches zero or many characters) and "?" (at least one
 494						// character).
 495						// NOTE: "Name" is being deprecated in favor of "Names".
 496						"name"?: string
 497
 498						// Names are the names of the resources. Each name supports
 499						// wildcard characters
 500						// "*" (matches zero or many characters) and "?" (at least one
 501						// character).
 502						"names"?: [...string]
 503
 504						// NamespaceSelector is a label selector for the resource
 505						// namespace. Label keys and values
 506						// in `matchLabels` support the wildcard characters `*` (matches
 507						// zero or many characters)
 508						// and `?` (matches one character).Wildcards allows writing label
 509						// selectors like
 510						// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
 511						// any key and value but
 512						// does not match an empty label set.
 513						"namespaceSelector"?: {
 514							// matchExpressions is a list of label selector requirements. The
 515							// requirements are ANDed.
 516							"matchExpressions"?: [...{
 517								// key is the label key that the selector applies to.
 518								"key"!: string
 519
 520								// operator represents a key's relationship to a set of values.
 521								// Valid operators are In, NotIn, Exists and DoesNotExist.
 522								"operator"!: string
 523
 524								// values is an array of string values. If the operator is In or
 525								// NotIn,
 526								// the values array must be non-empty. If the operator is Exists
 527								// or DoesNotExist,
 528								// the values array must be empty. This array is replaced during a
 529								// strategic
 530								// merge patch.
 531								"values"?: [...string]
 532							}]
 533
 534							// matchLabels is a map of {key,value} pairs. A single {key,value}
 535							// in the matchLabels
 536							// map is equivalent to an element of matchExpressions, whose key
 537							// field is "key", the
 538							// operator is "In", and the values array contains only "value".
 539							// The requirements are ANDed.
 540							"matchLabels"?: {
 541								[string]: string
 542							}
 543						}
 544
 545						// Namespaces is a list of namespaces names. Each name supports
 546						// wildcard characters
 547						// "*" (matches zero or many characters) and "?" (at least one
 548						// character).
 549						"namespaces"?: [...string]
 550
 551						// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
 552						// "DELETE"], which are used to match a specific action.
 553						"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
 554
 555						// Selector is a label selector. Label keys and values in
 556						// `matchLabels` support the wildcard
 557						// characters `*` (matches zero or many characters) and `?`
 558						// (matches one character).
 559						// Wildcards allows writing label selectors like
 560						// ["storage.k8s.io/*": "*"]. Note that
 561						// using ["*" : "*"] matches any key and value but does not match
 562						// an empty label set.
 563						"selector"?: {
 564							// matchExpressions is a list of label selector requirements. The
 565							// requirements are ANDed.
 566							"matchExpressions"?: [...{
 567								// key is the label key that the selector applies to.
 568								"key"!: string
 569
 570								// operator represents a key's relationship to a set of values.
 571								// Valid operators are In, NotIn, Exists and DoesNotExist.
 572								"operator"!: string
 573
 574								// values is an array of string values. If the operator is In or
 575								// NotIn,
 576								// the values array must be non-empty. If the operator is Exists
 577								// or DoesNotExist,
 578								// the values array must be empty. This array is replaced during a
 579								// strategic
 580								// merge patch.
 581								"values"?: [...string]
 582							}]
 583
 584							// matchLabels is a map of {key,value} pairs. A single {key,value}
 585							// in the matchLabels
 586							// map is equivalent to an element of matchExpressions, whose key
 587							// field is "key", the
 588							// operator is "In", and the values array contains only "value".
 589							// The requirements are ANDed.
 590							"matchLabels"?: {
 591								[string]: string
 592							}
 593						}
 594					}
 595
 596					// Roles is the list of namespaced role names for the user.
 597					"roles"?: [...string]
 598
 599					// Subjects is the list of subject names like users, user groups,
 600					// and service accounts.
 601					"subjects"?: [...{
 602						// APIGroup holds the API group of the referenced subject.
 603						// Defaults to "" for ServiceAccount subjects.
 604						// Defaults to "rbac.authorization.k8s.io" for User and Group
 605						// subjects.
 606						"apiGroup"?: string
 607
 608						// Kind of object being referenced. Values defined by this API
 609						// group are "User", "Group", and "ServiceAccount".
 610						// If the Authorizer does not recognized the kind value, the
 611						// Authorizer should report an error.
 612						"kind"!: string
 613
 614						// Name of the object being referenced.
 615						"name"!: string
 616
 617						// Namespace of the referenced object. If the object kind is
 618						// non-namespace, such as "User" or "Group", and this value is
 619						// not empty
 620						// the Authorizer should report an error.
 621						"namespace"?: string
 622					}]
 623				}]
 624
 625				// ClusterRoles is the list of cluster-wide role names for the
 626				// user.
 627				"clusterRoles"?: [...string]
 628
 629				// ResourceDescription contains information about the resource
 630				// being created or modified.
 631				// Requires at least one tag to be specified when under
 632				// MatchResources.
 633				// Specifying ResourceDescription directly under match is being
 634				// deprecated.
 635				// Please specify under "any" or "all" instead.
 636				"resources"?: matchN(0, [null | bool | number | string | [...] | {
 637					"name"!:  _
 638					"names"!: _
 639				}]) & {
 640					// Annotations is a map of annotations (key-value pairs of type
 641					// string). Annotation keys
 642					// and values support the wildcard characters "*" (matches zero or
 643					// many characters) and
 644					// "?" (matches at least one character).
 645					"annotations"?: [string]: string
 646
 647					// Kinds is a list of resource kinds.
 648					"kinds"?: [...string]
 649
 650					// Name is the name of the resource. The name supports wildcard
 651					// characters
 652					// "*" (matches zero or many characters) and "?" (at least one
 653					// character).
 654					// NOTE: "Name" is being deprecated in favor of "Names".
 655					"name"?: string
 656
 657					// Names are the names of the resources. Each name supports
 658					// wildcard characters
 659					// "*" (matches zero or many characters) and "?" (at least one
 660					// character).
 661					"names"?: [...string]
 662
 663					// NamespaceSelector is a label selector for the resource
 664					// namespace. Label keys and values
 665					// in `matchLabels` support the wildcard characters `*` (matches
 666					// zero or many characters)
 667					// and `?` (matches one character).Wildcards allows writing label
 668					// selectors like
 669					// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
 670					// any key and value but
 671					// does not match an empty label set.
 672					"namespaceSelector"?: {
 673						// matchExpressions is a list of label selector requirements. The
 674						// requirements are ANDed.
 675						"matchExpressions"?: [...{
 676							// key is the label key that the selector applies to.
 677							"key"!: string
 678
 679							// operator represents a key's relationship to a set of values.
 680							// Valid operators are In, NotIn, Exists and DoesNotExist.
 681							"operator"!: string
 682
 683							// values is an array of string values. If the operator is In or
 684							// NotIn,
 685							// the values array must be non-empty. If the operator is Exists
 686							// or DoesNotExist,
 687							// the values array must be empty. This array is replaced during a
 688							// strategic
 689							// merge patch.
 690							"values"?: [...string]
 691						}]
 692
 693						// matchLabels is a map of {key,value} pairs. A single {key,value}
 694						// in the matchLabels
 695						// map is equivalent to an element of matchExpressions, whose key
 696						// field is "key", the
 697						// operator is "In", and the values array contains only "value".
 698						// The requirements are ANDed.
 699						"matchLabels"?: {
 700							[string]: string
 701						}
 702					}
 703
 704					// Namespaces is a list of namespaces names. Each name supports
 705					// wildcard characters
 706					// "*" (matches zero or many characters) and "?" (at least one
 707					// character).
 708					"namespaces"?: [...string]
 709
 710					// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
 711					// "DELETE"], which are used to match a specific action.
 712					"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
 713
 714					// Selector is a label selector. Label keys and values in
 715					// `matchLabels` support the wildcard
 716					// characters `*` (matches zero or many characters) and `?`
 717					// (matches one character).
 718					// Wildcards allows writing label selectors like
 719					// ["storage.k8s.io/*": "*"]. Note that
 720					// using ["*" : "*"] matches any key and value but does not match
 721					// an empty label set.
 722					"selector"?: {
 723						// matchExpressions is a list of label selector requirements. The
 724						// requirements are ANDed.
 725						"matchExpressions"?: [...{
 726							// key is the label key that the selector applies to.
 727							"key"!: string
 728
 729							// operator represents a key's relationship to a set of values.
 730							// Valid operators are In, NotIn, Exists and DoesNotExist.
 731							"operator"!: string
 732
 733							// values is an array of string values. If the operator is In or
 734							// NotIn,
 735							// the values array must be non-empty. If the operator is Exists
 736							// or DoesNotExist,
 737							// the values array must be empty. This array is replaced during a
 738							// strategic
 739							// merge patch.
 740							"values"?: [...string]
 741						}]
 742
 743						// matchLabels is a map of {key,value} pairs. A single {key,value}
 744						// in the matchLabels
 745						// map is equivalent to an element of matchExpressions, whose key
 746						// field is "key", the
 747						// operator is "In", and the values array contains only "value".
 748						// The requirements are ANDed.
 749						"matchLabels"?: {
 750							[string]: string
 751						}
 752					}
 753				}
 754
 755				// Roles is the list of namespaced role names for the user.
 756				"roles"?: [...string]
 757
 758				// Subjects is the list of subject names like users, user groups,
 759				// and service accounts.
 760				"subjects"?: [...{
 761					// APIGroup holds the API group of the referenced subject.
 762					// Defaults to "" for ServiceAccount subjects.
 763					// Defaults to "rbac.authorization.k8s.io" for User and Group
 764					// subjects.
 765					"apiGroup"?: string
 766
 767					// Kind of object being referenced. Values defined by this API
 768					// group are "User", "Group", and "ServiceAccount".
 769					// If the Authorizer does not recognized the kind value, the
 770					// Authorizer should report an error.
 771					"kind"!: string
 772
 773					// Name of the object being referenced.
 774					"name"!: string
 775
 776					// Namespace of the referenced object. If the object kind is
 777					// non-namespace, such as "User" or "Group", and this value is
 778					// not empty
 779					// the Authorizer should report an error.
 780					"namespace"?: string
 781				}]
 782			}
 783
 784			// Generation is used to create new resources.
 785			"generate"?: {
 786				// APIVersion specifies resource apiVersion.
 787				"apiVersion"?: string
 788
 789				// Clone specifies the source resource used to populate each
 790				// generated resource.
 791				// At most one of Data or Clone can be specified. If neither are
 792				// provided, the generated
 793				// resource will be created with default data only.
 794				"clone"?: {
 795					// Name specifies name of the resource.
 796					"name"?: string
 797
 798					// Namespace specifies source resource namespace.
 799					"namespace"?: string
 800				}
 801
 802				// CloneList specifies the list of source resource used to
 803				// populate each generated resource.
 804				"cloneList"?: {
 805					// Kinds is a list of resource kinds.
 806					"kinds"?: [...string]
 807
 808					// Namespace specifies source resource namespace.
 809					"namespace"?: string
 810
 811					// Selector is a label selector. Label keys and values in
 812					// `matchLabels`.
 813					// wildcard characters are not supported.
 814					"selector"?: {
 815						// matchExpressions is a list of label selector requirements. The
 816						// requirements are ANDed.
 817						"matchExpressions"?: [...{
 818							// key is the label key that the selector applies to.
 819							"key"!: string
 820
 821							// operator represents a key's relationship to a set of values.
 822							// Valid operators are In, NotIn, Exists and DoesNotExist.
 823							"operator"!: string
 824
 825							// values is an array of string values. If the operator is In or
 826							// NotIn,
 827							// the values array must be non-empty. If the operator is Exists
 828							// or DoesNotExist,
 829							// the values array must be empty. This array is replaced during a
 830							// strategic
 831							// merge patch.
 832							"values"?: [...string]
 833						}]
 834
 835						// matchLabels is a map of {key,value} pairs. A single {key,value}
 836						// in the matchLabels
 837						// map is equivalent to an element of matchExpressions, whose key
 838						// field is "key", the
 839						// operator is "In", and the values array contains only "value".
 840						// The requirements are ANDed.
 841						"matchLabels"?: {
 842							[string]: string
 843						}
 844					}
 845				}
 846
 847				// Data provides the resource declaration used to populate each
 848				// generated resource.
 849				// At most one of Data or Clone must be specified. If neither are
 850				// provided, the generated
 851				// resource will be created with default data only.
 852				"data"?: null | bool | number | string | [...] | {
 853					...
 854				}
 855
 856				// ForEach applies generate rules to a list of sub-elements by
 857				// creating a context for each entry in the list and looping over
 858				// it to apply the specified logic.
 859				"foreach"?: [...{
 860					// APIVersion specifies resource apiVersion.
 861					"apiVersion"?: string
 862
 863					// Clone specifies the source resource used to populate each
 864					// generated resource.
 865					// At most one of Data or Clone can be specified. If neither are
 866					// provided, the generated
 867					// resource will be created with default data only.
 868					"clone"?: {
 869						// Name specifies name of the resource.
 870						"name"?: string
 871
 872						// Namespace specifies source resource namespace.
 873						"namespace"?: string
 874					}
 875
 876					// CloneList specifies the list of source resource used to
 877					// populate each generated resource.
 878					"cloneList"?: {
 879						// Kinds is a list of resource kinds.
 880						"kinds"?: [...string]
 881
 882						// Namespace specifies source resource namespace.
 883						"namespace"?: string
 884
 885						// Selector is a label selector. Label keys and values in
 886						// `matchLabels`.
 887						// wildcard characters are not supported.
 888						"selector"?: {
 889							// matchExpressions is a list of label selector requirements. The
 890							// requirements are ANDed.
 891							"matchExpressions"?: [...{
 892								// key is the label key that the selector applies to.
 893								"key"!: string
 894
 895								// operator represents a key's relationship to a set of values.
 896								// Valid operators are In, NotIn, Exists and DoesNotExist.
 897								"operator"!: string
 898
 899								// values is an array of string values. If the operator is In or
 900								// NotIn,
 901								// the values array must be non-empty. If the operator is Exists
 902								// or DoesNotExist,
 903								// the values array must be empty. This array is replaced during a
 904								// strategic
 905								// merge patch.
 906								"values"?: [...string]
 907							}]
 908
 909							// matchLabels is a map of {key,value} pairs. A single {key,value}
 910							// in the matchLabels
 911							// map is equivalent to an element of matchExpressions, whose key
 912							// field is "key", the
 913							// operator is "In", and the values array contains only "value".
 914							// The requirements are ANDed.
 915							"matchLabels"?: {
 916								[string]: string
 917							}
 918						}
 919					}
 920
 921					// Context defines variables and data sources that can be used
 922					// during rule execution.
 923					"context"?: [...matchN(1, [{
 924						"configMap"!: _
 925					}, {
 926						"apiCall"!: _
 927					}, {
 928						"imageRegistry"!: _
 929					}, {
 930						"variable"!: _
 931					}, {
 932						"globalReference"!: _
 933					}]) & {
 934						// APICall is an HTTP request to the Kubernetes API server, or
 935						// other JSON web service.
 936						// The data returned is stored in the context with the name for
 937						// the context entry.
 938						"apiCall"?: {
 939							// The data object specifies the POST data sent to the server.
 940							// Only applicable when the method field is set to POST.
 941							"data"?: [...{
 942								// Key is a unique identifier for the data value
 943								"key"!: string
 944
 945								// Value is the data value
 946								"value"!: null | bool | number | string | [...] | {
 947									...
 948								}
 949							}]
 950
 951							// Default is an optional arbitrary JSON object that the context
 952							// value is set to, if the apiCall returns error.
 953							"default"?: null | bool | number | string | [...] | {
 954								...
 955							}
 956
 957							// JMESPath is an optional JSON Match Expression that can be used
 958							// to
 959							// transform the JSON response returned from the server. For
 960							// example
 961							// a JMESPath of "items | length(@)" applied to the API server
 962							// response
 963							// for the URLPath "/apis/apps/v1/deployments" will return the
 964							// total count
 965							// of deployments across all namespaces.
 966							"jmesPath"?: string
 967
 968							// Method is the HTTP request type (GET or POST). Defaults to GET.
 969							"method"?: "GET" | "POST"
 970
 971							// Service is an API call to a JSON web service.
 972							// This is used for non-Kubernetes API server calls.
 973							// It's mutually exclusive with the URLPath field.
 974							"service"?: {
 975								// CABundle is a PEM encoded CA bundle which will be used to
 976								// validate
 977								// the server certificate.
 978								"caBundle"?: string
 979
 980								// Headers is a list of optional HTTP headers to be included in
 981								// the request.
 982								"headers"?: [...{
 983									// Key is the header key
 984									"key"!: string
 985
 986									// Value is the header value
 987									"value"!: string
 988								}]
 989
 990								// URL is the JSON web service URL. A typical form is
 991								// `https://{service}.{namespace}:{port}/{path}`.
 992								"url"!: string
 993							}
 994
 995							// URLPath is the URL path to be used in the HTTP GET or POST
 996							// request to the
 997							// Kubernetes API server (e.g. "/api/v1/namespaces" or
 998							// "/apis/apps/v1/deployments").
 999							// The format required is the same format used by the `kubectl get
1000							// --raw` command.
1001							// See
1002							// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
1003							// for details.
1004							// It's mutually exclusive with the Service field.
1005							"urlPath"?: string
1006						}
1007
1008						// ConfigMap is the ConfigMap reference.
1009						"configMap"?: {
1010							// Name is the ConfigMap name.
1011							"name"!: string
1012
1013							// Namespace is the ConfigMap namespace.
1014							"namespace"?: string
1015						}
1016
1017						// GlobalContextEntryReference is a reference to a cached global
1018						// context entry.
1019						"globalReference"?: {
1020							// JMESPath is an optional JSON Match Expression that can be used
1021							// to
1022							// transform the JSON response returned from the server. For
1023							// example
1024							// a JMESPath of "items | length(@)" applied to the API server
1025							// response
1026							// for the URLPath "/apis/apps/v1/deployments" will return the
1027							// total count
1028							// of deployments across all namespaces.
1029							"jmesPath"?: string
1030
1031							// Name of the global context entry
1032							"name"!: string
1033						}
1034
1035						// ImageRegistry defines requests to an OCI/Docker V2 registry to
1036						// fetch image
1037						// details.
1038						"imageRegistry"?: {
1039							// ImageRegistryCredentials provides credentials that will be used
1040							// for authentication with registry
1041							"imageRegistryCredentials"?: {
1042								// AllowInsecureRegistry allows insecure access to a registry.
1043								"allowInsecureRegistry"?: bool
1044
1045								// Providers specifies a list of OCI Registry names, whose
1046								// authentication providers are provided.
1047								// It can be of one of these values:
1048								// default,google,azure,amazon,github.
1049								"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
1050
1051								// Secrets specifies a list of secrets that are provided for
1052								// credentials.
1053								// Secrets must live in the Kyverno namespace.
1054								"secrets"?: [...string]
1055							}
1056
1057							// JMESPath is an optional JSON Match Expression that can be used
1058							// to
1059							// transform the ImageData struct returned as a result of
1060							// processing
1061							// the image reference.
1062							"jmesPath"?: string
1063
1064							// Reference is image reference to a container image in the
1065							// registry.
1066							// Example: ghcr.io/kyverno/kyverno:latest
1067							"reference"!: string
1068						}
1069
1070						// Name is the variable name.
1071						"name"!: string
1072
1073						// Variable defines an arbitrary JMESPath context variable that
1074						// can be defined inline.
1075						"variable"?: {
1076							// Default is an optional arbitrary JSON object that the variable
1077							// may take if the JMESPath
1078							// expression evaluates to nil
1079							"default"?: null | bool | number | string | [...] | {
1080								...
1081							}
1082
1083							// JMESPath is an optional JMESPath Expression that can be used to
1084							// transform the variable.
1085							"jmesPath"?: string
1086
1087							// Value is any arbitrary JSON object representable in YAML or
1088							// JSON form.
1089							"value"?: null | bool | number | string | [...] | {
1090								...
1091							}
1092						}
1093					}]
1094
1095					// Data provides the resource declaration used to populate each
1096					// generated resource.
1097					// At most one of Data or Clone must be specified. If neither are
1098					// provided, the generated
1099					// resource will be created with default data only.
1100					"data"?: null | bool | number | string | [...] | {
1101						...
1102					}
1103
1104					// Kind specifies resource kind.
1105					"kind"?: string
1106
1107					// List specifies a JMESPath expression that results in one or
1108					// more elements
1109					// to which the validation logic is applied.
1110					"list"?: string
1111
1112					// Name specifies the resource name.
1113					"name"?: string
1114
1115					// Namespace specifies resource namespace.
1116					"namespace"?: string
1117
1118					// AnyAllConditions are used to determine if a policy rule should
1119					// be applied by evaluating a
1120					// set of conditions. The declaration can contain nested `any` or
1121					// `all` statements.
1122					// See: https://kyverno.io/docs/writing-policies/preconditions/
1123					"preconditions"?: {
1124						// AllConditions enable variable-based conditional rule execution.
1125						// This is useful for
1126						// finer control of when an rule is applied. A condition can
1127						// reference object data
1128						// using JMESPath notation.
1129						// Here, all of the conditions need to pass
1130						"all"?: [...{
1131							// Key is the context entry (using JMESPath) for conditional rule
1132							// evaluation.
1133							"key"?: null | bool | number | string | [...] | {
1134								...
1135							}
1136
1137							// Message is an optional display message
1138							"message"?: string
1139
1140							// Operator is the conditional operation to perform. Valid
1141							// operators are:
1142							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
1143							// GreaterThanOrEquals,
1144							// GreaterThan, LessThanOrEquals, LessThan,
1145							// DurationGreaterThanOrEquals, DurationGreaterThan,
1146							// DurationLessThanOrEquals, DurationLessThan
1147							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
1148
1149							// Value is the conditional value, or set of values. The values
1150							// can be fixed set
1151							// or can be variables declared using JMESPath.
1152							"value"?: null | bool | number | string | [...] | {
1153								...
1154							}
1155						}]
1156
1157						// AnyConditions enable variable-based conditional rule execution.
1158						// This is useful for
1159						// finer control of when an rule is applied. A condition can
1160						// reference object data
1161						// using JMESPath notation.
1162						// Here, at least one of the conditions need to pass
1163						"any"?: [...{
1164							// Key is the context entry (using JMESPath) for conditional rule
1165							// evaluation.
1166							"key"?: null | bool | number | string | [...] | {
1167								...
1168							}
1169
1170							// Message is an optional display message
1171							"message"?: string
1172
1173							// Operator is the conditional operation to perform. Valid
1174							// operators are:
1175							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
1176							// GreaterThanOrEquals,
1177							// GreaterThan, LessThanOrEquals, LessThan,
1178							// DurationGreaterThanOrEquals, DurationGreaterThan,
1179							// DurationLessThanOrEquals, DurationLessThan
1180							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
1181
1182							// Value is the conditional value, or set of values. The values
1183							// can be fixed set
1184							// or can be variables declared using JMESPath.
1185							"value"?: null | bool | number | string | [...] | {
1186								...
1187							}
1188						}]
1189						...
1190					}
1191
1192					// UID specifies the resource uid.
1193					"uid"?: string
1194				}]
1195
1196				// GenerateExisting controls whether to trigger the rule in
1197				// existing resources
1198				// If is set to "true" the rule will be triggered and applied to
1199				// existing matched resources.
1200				"generateExisting"?: bool
1201
1202				// Kind specifies resource kind.
1203				"kind"?: string
1204
1205				// Name specifies the resource name.
1206				"name"?: string
1207
1208				// Namespace specifies resource namespace.
1209				"namespace"?: string
1210
1211				// OrphanDownstreamOnPolicyDelete controls whether generated
1212				// resources should be deleted when the rule that generated
1213				// them is deleted with synchronization enabled. This option is
1214				// only applicable to generate rules of the data type.
1215				// See
1216				// https://kyverno.io/docs/writing-policies/generate/#data-examples.
1217				// Defaults to "false" if not specified.
1218				"orphanDownstreamOnPolicyDelete"?: bool
1219
1220				// Synchronize controls if generated resources should be kept
1221				// in-sync with their source resource.
1222				// If Synchronize is set to "true" changes to generated resources
1223				// will be overwritten with resource
1224				// data from Data or the resource specified in the Clone
1225				// declaration.
1226				// Optional. Defaults to "false" if not specified.
1227				"synchronize"?: bool
1228
1229				// UID specifies the resource uid.
1230				"uid"?: string
1231			}
1232
1233			// ImageExtractors defines a mapping from kinds to
1234			// ImageExtractorConfigs.
1235			// This config is only valid for verifyImages rules.
1236			"imageExtractors"?: {
1237				[string]: [...{
1238					// JMESPath is an optional JMESPath expression to apply to the
1239					// image value.
1240					// This is useful when the extracted image begins with a prefix
1241					// like 'docker://'.
1242					// The 'trim_prefix' function may be used to trim the prefix:
1243					// trim_prefix(@, 'docker://').
1244					// Note - Image digest mutation may not be used when applying a
1245					// JMESPAth to an image.
1246					"jmesPath"?: string
1247
1248					// Key is an optional name of the field within 'path' that will be
1249					// used to uniquely identify an image.
1250					// Note - this field MUST be unique.
1251					"key"?: string
1252
1253					// Name is the entry the image will be available under
1254					// 'images.<name>' in the context.
1255					// If this field is not defined, image entries will appear under
1256					// 'images.custom'.
1257					"name"?: string
1258
1259					// Path is the path to the object containing the image field in a
1260					// custom resource.
1261					// It should be slash-separated. Each slash-separated key must be
1262					// a valid YAML key or a wildcard '*'.
1263					// Wildcard keys are expanded in case of arrays or objects.
1264					"path"!: string
1265
1266					// Value is an optional name of the field within 'path' that
1267					// points to the image URI.
1268					// This is useful when a custom 'key' is also defined.
1269					"value"?: string
1270				}]
1271			}
1272
1273			// MatchResources defines when this policy rule should be applied.
1274			// The match
1275			// criteria can include resource information (e.g. kind, name,
1276			// namespace, labels)
1277			// and admission review request information like the user name or
1278			// role.
1279			// At least one kind is required.
1280			"match"!: matchN(0, [null | bool | number | string | [...] | {
1281				"any"!: _
1282				"all"!: _
1283			}]) & {
1284				// All allows specifying resources which will be ANDed
1285				"all"?: [...{
1286					// ClusterRoles is the list of cluster-wide role names for the
1287					// user.
1288					"clusterRoles"?: [...string]
1289
1290					// ResourceDescription contains information about the resource
1291					// being created or modified.
1292					"resources"?: matchN(0, [null | bool | number | string | [...] | {
1293						"name"!:  _
1294						"names"!: _
1295					}]) & {
1296						// Annotations is a map of annotations (key-value pairs of type
1297						// string). Annotation keys
1298						// and values support the wildcard characters "*" (matches zero or
1299						// many characters) and
1300						// "?" (matches at least one character).
1301						"annotations"?: [string]: string
1302
1303						// Kinds is a list of resource kinds.
1304						"kinds"?: [...string]
1305
1306						// Name is the name of the resource. The name supports wildcard
1307						// characters
1308						// "*" (matches zero or many characters) and "?" (at least one
1309						// character).
1310						// NOTE: "Name" is being deprecated in favor of "Names".
1311						"name"?: string
1312
1313						// Names are the names of the resources. Each name supports
1314						// wildcard characters
1315						// "*" (matches zero or many characters) and "?" (at least one
1316						// character).
1317						"names"?: [...string]
1318
1319						// NamespaceSelector is a label selector for the resource
1320						// namespace. Label keys and values
1321						// in `matchLabels` support the wildcard characters `*` (matches
1322						// zero or many characters)
1323						// and `?` (matches one character).Wildcards allows writing label
1324						// selectors like
1325						// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
1326						// any key and value but
1327						// does not match an empty label set.
1328						"namespaceSelector"?: {
1329							// matchExpressions is a list of label selector requirements. The
1330							// requirements are ANDed.
1331							"matchExpressions"?: [...{
1332								// key is the label key that the selector applies to.
1333								"key"!: string
1334
1335								// operator represents a key's relationship to a set of values.
1336								// Valid operators are In, NotIn, Exists and DoesNotExist.
1337								"operator"!: string
1338
1339								// values is an array of string values. If the operator is In or
1340								// NotIn,
1341								// the values array must be non-empty. If the operator is Exists
1342								// or DoesNotExist,
1343								// the values array must be empty. This array is replaced during a
1344								// strategic
1345								// merge patch.
1346								"values"?: [...string]
1347							}]
1348
1349							// matchLabels is a map of {key,value} pairs. A single {key,value}
1350							// in the matchLabels
1351							// map is equivalent to an element of matchExpressions, whose key
1352							// field is "key", the
1353							// operator is "In", and the values array contains only "value".
1354							// The requirements are ANDed.
1355							"matchLabels"?: {
1356								[string]: string
1357							}
1358						}
1359
1360						// Namespaces is a list of namespaces names. Each name supports
1361						// wildcard characters
1362						// "*" (matches zero or many characters) and "?" (at least one
1363						// character).
1364						"namespaces"?: [...string]
1365
1366						// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
1367						// "DELETE"], which are used to match a specific action.
1368						"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
1369
1370						// Selector is a label selector. Label keys and values in
1371						// `matchLabels` support the wildcard
1372						// characters `*` (matches zero or many characters) and `?`
1373						// (matches one character).
1374						// Wildcards allows writing label selectors like
1375						// ["storage.k8s.io/*": "*"]. Note that
1376						// using ["*" : "*"] matches any key and value but does not match
1377						// an empty label set.
1378						"selector"?: {
1379							// matchExpressions is a list of label selector requirements. The
1380							// requirements are ANDed.
1381							"matchExpressions"?: [...{
1382								// key is the label key that the selector applies to.
1383								"key"!: string
1384
1385								// operator represents a key's relationship to a set of values.
1386								// Valid operators are In, NotIn, Exists and DoesNotExist.
1387								"operator"!: string
1388
1389								// values is an array of string values. If the operator is In or
1390								// NotIn,
1391								// the values array must be non-empty. If the operator is Exists
1392								// or DoesNotExist,
1393								// the values array must be empty. This array is replaced during a
1394								// strategic
1395								// merge patch.
1396								"values"?: [...string]
1397							}]
1398
1399							// matchLabels is a map of {key,value} pairs. A single {key,value}
1400							// in the matchLabels
1401							// map is equivalent to an element of matchExpressions, whose key
1402							// field is "key", the
1403							// operator is "In", and the values array contains only "value".
1404							// The requirements are ANDed.
1405							"matchLabels"?: {
1406								[string]: string
1407							}
1408						}
1409					}
1410
1411					// Roles is the list of namespaced role names for the user.
1412					"roles"?: [...string]
1413
1414					// Subjects is the list of subject names like users, user groups,
1415					// and service accounts.
1416					"subjects"?: [...{
1417						// APIGroup holds the API group of the referenced subject.
1418						// Defaults to "" for ServiceAccount subjects.
1419						// Defaults to "rbac.authorization.k8s.io" for User and Group
1420						// subjects.
1421						"apiGroup"?: string
1422
1423						// Kind of object being referenced. Values defined by this API
1424						// group are "User", "Group", and "ServiceAccount".
1425						// If the Authorizer does not recognized the kind value, the
1426						// Authorizer should report an error.
1427						"kind"!: string
1428
1429						// Name of the object being referenced.
1430						"name"!: string
1431
1432						// Namespace of the referenced object. If the object kind is
1433						// non-namespace, such as "User" or "Group", and this value is
1434						// not empty
1435						// the Authorizer should report an error.
1436						"namespace"?: string
1437					}]
1438				}]
1439
1440				// Any allows specifying resources which will be ORed
1441				"any"?: [...{
1442					// ClusterRoles is the list of cluster-wide role names for the
1443					// user.
1444					"clusterRoles"?: [...string]
1445
1446					// ResourceDescription contains information about the resource
1447					// being created or modified.
1448					"resources"?: matchN(0, [null | bool | number | string | [...] | {
1449						"name"!:  _
1450						"names"!: _
1451					}]) & {
1452						// Annotations is a map of annotations (key-value pairs of type
1453						// string). Annotation keys
1454						// and values support the wildcard characters "*" (matches zero or
1455						// many characters) and
1456						// "?" (matches at least one character).
1457						"annotations"?: [string]: string
1458
1459						// Kinds is a list of resource kinds.
1460						"kinds"?: [...string]
1461
1462						// Name is the name of the resource. The name supports wildcard
1463						// characters
1464						// "*" (matches zero or many characters) and "?" (at least one
1465						// character).
1466						// NOTE: "Name" is being deprecated in favor of "Names".
1467						"name"?: string
1468
1469						// Names are the names of the resources. Each name supports
1470						// wildcard characters
1471						// "*" (matches zero or many characters) and "?" (at least one
1472						// character).
1473						"names"?: [...string]
1474
1475						// NamespaceSelector is a label selector for the resource
1476						// namespace. Label keys and values
1477						// in `matchLabels` support the wildcard characters `*` (matches
1478						// zero or many characters)
1479						// and `?` (matches one character).Wildcards allows writing label
1480						// selectors like
1481						// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
1482						// any key and value but
1483						// does not match an empty label set.
1484						"namespaceSelector"?: {
1485							// matchExpressions is a list of label selector requirements. The
1486							// requirements are ANDed.
1487							"matchExpressions"?: [...{
1488								// key is the label key that the selector applies to.
1489								"key"!: string
1490
1491								// operator represents a key's relationship to a set of values.
1492								// Valid operators are In, NotIn, Exists and DoesNotExist.
1493								"operator"!: string
1494
1495								// values is an array of string values. If the operator is In or
1496								// NotIn,
1497								// the values array must be non-empty. If the operator is Exists
1498								// or DoesNotExist,
1499								// the values array must be empty. This array is replaced during a
1500								// strategic
1501								// merge patch.
1502								"values"?: [...string]
1503							}]
1504
1505							// matchLabels is a map of {key,value} pairs. A single {key,value}
1506							// in the matchLabels
1507							// map is equivalent to an element of matchExpressions, whose key
1508							// field is "key", the
1509							// operator is "In", and the values array contains only "value".
1510							// The requirements are ANDed.
1511							"matchLabels"?: {
1512								[string]: string
1513							}
1514						}
1515
1516						// Namespaces is a list of namespaces names. Each name supports
1517						// wildcard characters
1518						// "*" (matches zero or many characters) and "?" (at least one
1519						// character).
1520						"namespaces"?: [...string]
1521
1522						// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
1523						// "DELETE"], which are used to match a specific action.
1524						"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
1525
1526						// Selector is a label selector. Label keys and values in
1527						// `matchLabels` support the wildcard
1528						// characters `*` (matches zero or many characters) and `?`
1529						// (matches one character).
1530						// Wildcards allows writing label selectors like
1531						// ["storage.k8s.io/*": "*"]. Note that
1532						// using ["*" : "*"] matches any key and value but does not match
1533						// an empty label set.
1534						"selector"?: {
1535							// matchExpressions is a list of label selector requirements. The
1536							// requirements are ANDed.
1537							"matchExpressions"?: [...{
1538								// key is the label key that the selector applies to.
1539								"key"!: string
1540
1541								// operator represents a key's relationship to a set of values.
1542								// Valid operators are In, NotIn, Exists and DoesNotExist.
1543								"operator"!: string
1544
1545								// values is an array of string values. If the operator is In or
1546								// NotIn,
1547								// the values array must be non-empty. If the operator is Exists
1548								// or DoesNotExist,
1549								// the values array must be empty. This array is replaced during a
1550								// strategic
1551								// merge patch.
1552								"values"?: [...string]
1553							}]
1554
1555							// matchLabels is a map of {key,value} pairs. A single {key,value}
1556							// in the matchLabels
1557							// map is equivalent to an element of matchExpressions, whose key
1558							// field is "key", the
1559							// operator is "In", and the values array contains only "value".
1560							// The requirements are ANDed.
1561							"matchLabels"?: {
1562								[string]: string
1563							}
1564						}
1565					}
1566
1567					// Roles is the list of namespaced role names for the user.
1568					"roles"?: [...string]
1569
1570					// Subjects is the list of subject names like users, user groups,
1571					// and service accounts.
1572					"subjects"?: [...{
1573						// APIGroup holds the API group of the referenced subject.
1574						// Defaults to "" for ServiceAccount subjects.
1575						// Defaults to "rbac.authorization.k8s.io" for User and Group
1576						// subjects.
1577						"apiGroup"?: string
1578
1579						// Kind of object being referenced. Values defined by this API
1580						// group are "User", "Group", and "ServiceAccount".
1581						// If the Authorizer does not recognized the kind value, the
1582						// Authorizer should report an error.
1583						"kind"!: string
1584
1585						// Name of the object being referenced.
1586						"name"!: string
1587
1588						// Namespace of the referenced object. If the object kind is
1589						// non-namespace, such as "User" or "Group", and this value is
1590						// not empty
1591						// the Authorizer should report an error.
1592						"namespace"?: string
1593					}]
1594				}]
1595
1596				// ClusterRoles is the list of cluster-wide role names for the
1597				// user.
1598				"clusterRoles"?: [...string]
1599
1600				// ResourceDescription contains information about the resource
1601				// being created or modified.
1602				// Requires at least one tag to be specified when under
1603				// MatchResources.
1604				// Specifying ResourceDescription directly under match is being
1605				// deprecated.
1606				// Please specify under "any" or "all" instead.
1607				"resources"?: matchN(0, [null | bool | number | string | [...] | {
1608					"name"!:  _
1609					"names"!: _
1610				}]) & {
1611					// Annotations is a map of annotations (key-value pairs of type
1612					// string). Annotation keys
1613					// and values support the wildcard characters "*" (matches zero or
1614					// many characters) and
1615					// "?" (matches at least one character).
1616					"annotations"?: [string]: string
1617
1618					// Kinds is a list of resource kinds.
1619					"kinds"?: [...string]
1620
1621					// Name is the name of the resource. The name supports wildcard
1622					// characters
1623					// "*" (matches zero or many characters) and "?" (at least one
1624					// character).
1625					// NOTE: "Name" is being deprecated in favor of "Names".
1626					"name"?: string
1627
1628					// Names are the names of the resources. Each name supports
1629					// wildcard characters
1630					// "*" (matches zero or many characters) and "?" (at least one
1631					// character).
1632					"names"?: [...string]
1633
1634					// NamespaceSelector is a label selector for the resource
1635					// namespace. Label keys and values
1636					// in `matchLabels` support the wildcard characters `*` (matches
1637					// zero or many characters)
1638					// and `?` (matches one character).Wildcards allows writing label
1639					// selectors like
1640					// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
1641					// any key and value but
1642					// does not match an empty label set.
1643					"namespaceSelector"?: {
1644						// matchExpressions is a list of label selector requirements. The
1645						// requirements are ANDed.
1646						"matchExpressions"?: [...{
1647							// key is the label key that the selector applies to.
1648							"key"!: string
1649
1650							// operator represents a key's relationship to a set of values.
1651							// Valid operators are In, NotIn, Exists and DoesNotExist.
1652							"operator"!: string
1653
1654							// values is an array of string values. If the operator is In or
1655							// NotIn,
1656							// the values array must be non-empty. If the operator is Exists
1657							// or DoesNotExist,
1658							// the values array must be empty. This array is replaced during a
1659							// strategic
1660							// merge patch.
1661							"values"?: [...string]
1662						}]
1663
1664						// matchLabels is a map of {key,value} pairs. A single {key,value}
1665						// in the matchLabels
1666						// map is equivalent to an element of matchExpressions, whose key
1667						// field is "key", the
1668						// operator is "In", and the values array contains only "value".
1669						// The requirements are ANDed.
1670						"matchLabels"?: {
1671							[string]: string
1672						}
1673					}
1674
1675					// Namespaces is a list of namespaces names. Each name supports
1676					// wildcard characters
1677					// "*" (matches zero or many characters) and "?" (at least one
1678					// character).
1679					"namespaces"?: [...string]
1680
1681					// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
1682					// "DELETE"], which are used to match a specific action.
1683					"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
1684
1685					// Selector is a label selector. Label keys and values in
1686					// `matchLabels` support the wildcard
1687					// characters `*` (matches zero or many characters) and `?`
1688					// (matches one character).
1689					// Wildcards allows writing label selectors like
1690					// ["storage.k8s.io/*": "*"]. Note that
1691					// using ["*" : "*"] matches any key and value but does not match
1692					// an empty label set.
1693					"selector"?: {
1694						// matchExpressions is a list of label selector requirements. The
1695						// requirements are ANDed.
1696						"matchExpressions"?: [...{
1697							// key is the label key that the selector applies to.
1698							"key"!: string
1699
1700							// operator represents a key's relationship to a set of values.
1701							// Valid operators are In, NotIn, Exists and DoesNotExist.
1702							"operator"!: string
1703
1704							// values is an array of string values. If the operator is In or
1705							// NotIn,
1706							// the values array must be non-empty. If the operator is Exists
1707							// or DoesNotExist,
1708							// the values array must be empty. This array is replaced during a
1709							// strategic
1710							// merge patch.
1711							"values"?: [...string]
1712						}]
1713
1714						// matchLabels is a map of {key,value} pairs. A single {key,value}
1715						// in the matchLabels
1716						// map is equivalent to an element of matchExpressions, whose key
1717						// field is "key", the
1718						// operator is "In", and the values array contains only "value".
1719						// The requirements are ANDed.
1720						"matchLabels"?: {
1721							[string]: string
1722						}
1723					}
1724				}
1725
1726				// Roles is the list of namespaced role names for the user.
1727				"roles"?: [...string]
1728
1729				// Subjects is the list of subject names like users, user groups,
1730				// and service accounts.
1731				"subjects"?: [...{
1732					// APIGroup holds the API group of the referenced subject.
1733					// Defaults to "" for ServiceAccount subjects.
1734					// Defaults to "rbac.authorization.k8s.io" for User and Group
1735					// subjects.
1736					"apiGroup"?: string
1737
1738					// Kind of object being referenced. Values defined by this API
1739					// group are "User", "Group", and "ServiceAccount".
1740					// If the Authorizer does not recognized the kind value, the
1741					// Authorizer should report an error.
1742					"kind"!: string
1743
1744					// Name of the object being referenced.
1745					"name"!: string
1746
1747					// Namespace of the referenced object. If the object kind is
1748					// non-namespace, such as "User" or "Group", and this value is
1749					// not empty
1750					// the Authorizer should report an error.
1751					"namespace"?: string
1752				}]
1753			}
1754
1755			// Mutation is used to modify matching resources.
1756			"mutate"?: {
1757				// ForEach applies mutation rules to a list of sub-elements by
1758				// creating a context for each entry in the list and looping over
1759				// it to apply the specified logic.
1760				"foreach"?: [...{
1761					// Context defines variables and data sources that can be used
1762					// during rule execution.
1763					"context"?: [...matchN(1, [{
1764						"configMap"!: _
1765					}, {
1766						"apiCall"!: _
1767					}, {
1768						"imageRegistry"!: _
1769					}, {
1770						"variable"!: _
1771					}, {
1772						"globalReference"!: _
1773					}]) & {
1774						// APICall is an HTTP request to the Kubernetes API server, or
1775						// other JSON web service.
1776						// The data returned is stored in the context with the name for
1777						// the context entry.
1778						"apiCall"?: {
1779							// The data object specifies the POST data sent to the server.
1780							// Only applicable when the method field is set to POST.
1781							"data"?: [...{
1782								// Key is a unique identifier for the data value
1783								"key"!: string
1784
1785								// Value is the data value
1786								"value"!: null | bool | number | string | [...] | {
1787									...
1788								}
1789							}]
1790
1791							// Default is an optional arbitrary JSON object that the context
1792							// value is set to, if the apiCall returns error.
1793							"default"?: null | bool | number | string | [...] | {
1794								...
1795							}
1796
1797							// JMESPath is an optional JSON Match Expression that can be used
1798							// to
1799							// transform the JSON response returned from the server. For
1800							// example
1801							// a JMESPath of "items | length(@)" applied to the API server
1802							// response
1803							// for the URLPath "/apis/apps/v1/deployments" will return the
1804							// total count
1805							// of deployments across all namespaces.
1806							"jmesPath"?: string
1807
1808							// Method is the HTTP request type (GET or POST). Defaults to GET.
1809							"method"?: "GET" | "POST"
1810
1811							// Service is an API call to a JSON web service.
1812							// This is used for non-Kubernetes API server calls.
1813							// It's mutually exclusive with the URLPath field.
1814							"service"?: {
1815								// CABundle is a PEM encoded CA bundle which will be used to
1816								// validate
1817								// the server certificate.
1818								"caBundle"?: string
1819
1820								// Headers is a list of optional HTTP headers to be included in
1821								// the request.
1822								"headers"?: [...{
1823									// Key is the header key
1824									"key"!: string
1825
1826									// Value is the header value
1827									"value"!: string
1828								}]
1829
1830								// URL is the JSON web service URL. A typical form is
1831								// `https://{service}.{namespace}:{port}/{path}`.
1832								"url"!: string
1833							}
1834
1835							// URLPath is the URL path to be used in the HTTP GET or POST
1836							// request to the
1837							// Kubernetes API server (e.g. "/api/v1/namespaces" or
1838							// "/apis/apps/v1/deployments").
1839							// The format required is the same format used by the `kubectl get
1840							// --raw` command.
1841							// See
1842							// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
1843							// for details.
1844							// It's mutually exclusive with the Service field.
1845							"urlPath"?: string
1846						}
1847
1848						// ConfigMap is the ConfigMap reference.
1849						"configMap"?: {
1850							// Name is the ConfigMap name.
1851							"name"!: string
1852
1853							// Namespace is the ConfigMap namespace.
1854							"namespace"?: string
1855						}
1856
1857						// GlobalContextEntryReference is a reference to a cached global
1858						// context entry.
1859						"globalReference"?: {
1860							// JMESPath is an optional JSON Match Expression that can be used
1861							// to
1862							// transform the JSON response returned from the server. For
1863							// example
1864							// a JMESPath of "items | length(@)" applied to the API server
1865							// response
1866							// for the URLPath "/apis/apps/v1/deployments" will return the
1867							// total count
1868							// of deployments across all namespaces.
1869							"jmesPath"?: string
1870
1871							// Name of the global context entry
1872							"name"!: string
1873						}
1874
1875						// ImageRegistry defines requests to an OCI/Docker V2 registry to
1876						// fetch image
1877						// details.
1878						"imageRegistry"?: {
1879							// ImageRegistryCredentials provides credentials that will be used
1880							// for authentication with registry
1881							"imageRegistryCredentials"?: {
1882								// AllowInsecureRegistry allows insecure access to a registry.
1883								"allowInsecureRegistry"?: bool
1884
1885								// Providers specifies a list of OCI Registry names, whose
1886								// authentication providers are provided.
1887								// It can be of one of these values:
1888								// default,google,azure,amazon,github.
1889								"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
1890
1891								// Secrets specifies a list of secrets that are provided for
1892								// credentials.
1893								// Secrets must live in the Kyverno namespace.
1894								"secrets"?: [...string]
1895							}
1896
1897							// JMESPath is an optional JSON Match Expression that can be used
1898							// to
1899							// transform the ImageData struct returned as a result of
1900							// processing
1901							// the image reference.
1902							"jmesPath"?: string
1903
1904							// Reference is image reference to a container image in the
1905							// registry.
1906							// Example: ghcr.io/kyverno/kyverno:latest
1907							"reference"!: string
1908						}
1909
1910						// Name is the variable name.
1911						"name"!: string
1912
1913						// Variable defines an arbitrary JMESPath context variable that
1914						// can be defined inline.
1915						"variable"?: {
1916							// Default is an optional arbitrary JSON object that the variable
1917							// may take if the JMESPath
1918							// expression evaluates to nil
1919							"default"?: null | bool | number | string | [...] | {
1920								...
1921							}
1922
1923							// JMESPath is an optional JMESPath Expression that can be used to
1924							// transform the variable.
1925							"jmesPath"?: string
1926
1927							// Value is any arbitrary JSON object representable in YAML or
1928							// JSON form.
1929							"value"?: null | bool | number | string | [...] | {
1930								...
1931							}
1932						}
1933					}]
1934
1935					// Foreach declares a nested foreach iterator
1936					"foreach"?: null | bool | number | string | [...] | {
1937						...
1938					}
1939
1940					// List specifies a JMESPath expression that results in one or
1941					// more elements
1942					// to which the validation logic is applied.
1943					"list"?: string
1944
1945					// Order defines the iteration order on the list.
1946					// Can be Ascending to iterate from first to last element or
1947					// Descending to iterate in from last to first element.
1948					"order"?: "Ascending" | "Descending"
1949
1950					// PatchStrategicMerge is a strategic merge patch used to modify
1951					// resources.
1952					// See
1953					// https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
1954					// and
1955					// https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
1956					"patchStrategicMerge"?: null | bool | number | string | [...] | {
1957						...
1958					}
1959
1960					// PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
1961					// used to modify resources.
1962					// See https://tools.ietf.org/html/rfc6902 and
1963					// https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
1964					"patchesJson6902"?: string
1965
1966					// AnyAllConditions are used to determine if a policy rule should
1967					// be applied by evaluating a
1968					// set of conditions. The declaration can contain nested `any` or
1969					// `all` statements.
1970					// See: https://kyverno.io/docs/writing-policies/preconditions/
1971					"preconditions"?: {
1972						// AllConditions enable variable-based conditional rule execution.
1973						// This is useful for
1974						// finer control of when an rule is applied. A condition can
1975						// reference object data
1976						// using JMESPath notation.
1977						// Here, all of the conditions need to pass
1978						"all"?: [...{
1979							// Key is the context entry (using JMESPath) for conditional rule
1980							// evaluation.
1981							"key"?: null | bool | number | string | [...] | {
1982								...
1983							}
1984
1985							// Message is an optional display message
1986							"message"?: string
1987
1988							// Operator is the conditional operation to perform. Valid
1989							// operators are:
1990							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
1991							// GreaterThanOrEquals,
1992							// GreaterThan, LessThanOrEquals, LessThan,
1993							// DurationGreaterThanOrEquals, DurationGreaterThan,
1994							// DurationLessThanOrEquals, DurationLessThan
1995							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
1996
1997							// Value is the conditional value, or set of values. The values
1998							// can be fixed set
1999							// or can be variables declared using JMESPath.
2000							"value"?: null | bool | number | string | [...] | {
2001								...
2002							}
2003						}]
2004
2005						// AnyConditions enable variable-based conditional rule execution.
2006						// This is useful for
2007						// finer control of when an rule is applied. A condition can
2008						// reference object data
2009						// using JMESPath notation.
2010						// Here, at least one of the conditions need to pass
2011						"any"?: [...{
2012							// Key is the context entry (using JMESPath) for conditional rule
2013							// evaluation.
2014							"key"?: null | bool | number | string | [...] | {
2015								...
2016							}
2017
2018							// Message is an optional display message
2019							"message"?: string
2020
2021							// Operator is the conditional operation to perform. Valid
2022							// operators are:
2023							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2024							// GreaterThanOrEquals,
2025							// GreaterThan, LessThanOrEquals, LessThan,
2026							// DurationGreaterThanOrEquals, DurationGreaterThan,
2027							// DurationLessThanOrEquals, DurationLessThan
2028							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2029
2030							// Value is the conditional value, or set of values. The values
2031							// can be fixed set
2032							// or can be variables declared using JMESPath.
2033							"value"?: null | bool | number | string | [...] | {
2034								...
2035							}
2036						}]
2037						...
2038					}
2039				}]
2040
2041				// MutateExistingOnPolicyUpdate controls if the mutateExisting
2042				// rule will be applied on policy events.
2043				"mutateExistingOnPolicyUpdate"?: bool
2044
2045				// PatchStrategicMerge is a strategic merge patch used to modify
2046				// resources.
2047				// See
2048				// https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
2049				// and
2050				// https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
2051				"patchStrategicMerge"?: null | bool | number | string | [...] | {
2052					...
2053				}
2054
2055				// PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
2056				// used to modify resources.
2057				// See https://tools.ietf.org/html/rfc6902 and
2058				// https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
2059				"patchesJson6902"?: string
2060
2061				// Targets defines the target resources to be mutated.
2062				"targets"?: [...{
2063					// APIVersion specifies resource apiVersion.
2064					"apiVersion"?: string
2065
2066					// Context defines variables and data sources that can be used
2067					// during rule execution.
2068					"context"?: [...matchN(1, [{
2069						"configMap"!: _
2070					}, {
2071						"apiCall"!: _
2072					}, {
2073						"imageRegistry"!: _
2074					}, {
2075						"variable"!: _
2076					}, {
2077						"globalReference"!: _
2078					}]) & {
2079						// APICall is an HTTP request to the Kubernetes API server, or
2080						// other JSON web service.
2081						// The data returned is stored in the context with the name for
2082						// the context entry.
2083						"apiCall"?: {
2084							// The data object specifies the POST data sent to the server.
2085							// Only applicable when the method field is set to POST.
2086							"data"?: [...{
2087								// Key is a unique identifier for the data value
2088								"key"!: string
2089
2090								// Value is the data value
2091								"value"!: null | bool | number | string | [...] | {
2092									...
2093								}
2094							}]
2095
2096							// Default is an optional arbitrary JSON object that the context
2097							// value is set to, if the apiCall returns error.
2098							"default"?: null | bool | number | string | [...] | {
2099								...
2100							}
2101
2102							// JMESPath is an optional JSON Match Expression that can be used
2103							// to
2104							// transform the JSON response returned from the server. For
2105							// example
2106							// a JMESPath of "items | length(@)" applied to the API server
2107							// response
2108							// for the URLPath "/apis/apps/v1/deployments" will return the
2109							// total count
2110							// of deployments across all namespaces.
2111							"jmesPath"?: string
2112
2113							// Method is the HTTP request type (GET or POST). Defaults to GET.
2114							"method"?: "GET" | "POST"
2115
2116							// Service is an API call to a JSON web service.
2117							// This is used for non-Kubernetes API server calls.
2118							// It's mutually exclusive with the URLPath field.
2119							"service"?: {
2120								// CABundle is a PEM encoded CA bundle which will be used to
2121								// validate
2122								// the server certificate.
2123								"caBundle"?: string
2124
2125								// Headers is a list of optional HTTP headers to be included in
2126								// the request.
2127								"headers"?: [...{
2128									// Key is the header key
2129									"key"!: string
2130
2131									// Value is the header value
2132									"value"!: string
2133								}]
2134
2135								// URL is the JSON web service URL. A typical form is
2136								// `https://{service}.{namespace}:{port}/{path}`.
2137								"url"!: string
2138							}
2139
2140							// URLPath is the URL path to be used in the HTTP GET or POST
2141							// request to the
2142							// Kubernetes API server (e.g. "/api/v1/namespaces" or
2143							// "/apis/apps/v1/deployments").
2144							// The format required is the same format used by the `kubectl get
2145							// --raw` command.
2146							// See
2147							// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
2148							// for details.
2149							// It's mutually exclusive with the Service field.
2150							"urlPath"?: string
2151						}
2152
2153						// ConfigMap is the ConfigMap reference.
2154						"configMap"?: {
2155							// Name is the ConfigMap name.
2156							"name"!: string
2157
2158							// Namespace is the ConfigMap namespace.
2159							"namespace"?: string
2160						}
2161
2162						// GlobalContextEntryReference is a reference to a cached global
2163						// context entry.
2164						"globalReference"?: {
2165							// JMESPath is an optional JSON Match Expression that can be used
2166							// to
2167							// transform the JSON response returned from the server. For
2168							// example
2169							// a JMESPath of "items | length(@)" applied to the API server
2170							// response
2171							// for the URLPath "/apis/apps/v1/deployments" will return the
2172							// total count
2173							// of deployments across all namespaces.
2174							"jmesPath"?: string
2175
2176							// Name of the global context entry
2177							"name"!: string
2178						}
2179
2180						// ImageRegistry defines requests to an OCI/Docker V2 registry to
2181						// fetch image
2182						// details.
2183						"imageRegistry"?: {
2184							// ImageRegistryCredentials provides credentials that will be used
2185							// for authentication with registry
2186							"imageRegistryCredentials"?: {
2187								// AllowInsecureRegistry allows insecure access to a registry.
2188								"allowInsecureRegistry"?: bool
2189
2190								// Providers specifies a list of OCI Registry names, whose
2191								// authentication providers are provided.
2192								// It can be of one of these values:
2193								// default,google,azure,amazon,github.
2194								"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
2195
2196								// Secrets specifies a list of secrets that are provided for
2197								// credentials.
2198								// Secrets must live in the Kyverno namespace.
2199								"secrets"?: [...string]
2200							}
2201
2202							// JMESPath is an optional JSON Match Expression that can be used
2203							// to
2204							// transform the ImageData struct returned as a result of
2205							// processing
2206							// the image reference.
2207							"jmesPath"?: string
2208
2209							// Reference is image reference to a container image in the
2210							// registry.
2211							// Example: ghcr.io/kyverno/kyverno:latest
2212							"reference"!: string
2213						}
2214
2215						// Name is the variable name.
2216						"name"!: string
2217
2218						// Variable defines an arbitrary JMESPath context variable that
2219						// can be defined inline.
2220						"variable"?: {
2221							// Default is an optional arbitrary JSON object that the variable
2222							// may take if the JMESPath
2223							// expression evaluates to nil
2224							"default"?: null | bool | number | string | [...] | {
2225								...
2226							}
2227
2228							// JMESPath is an optional JMESPath Expression that can be used to
2229							// transform the variable.
2230							"jmesPath"?: string
2231
2232							// Value is any arbitrary JSON object representable in YAML or
2233							// JSON form.
2234							"value"?: null | bool | number | string | [...] | {
2235								...
2236							}
2237						}
2238					}]
2239
2240					// Kind specifies resource kind.
2241					"kind"?: string
2242
2243					// Name specifies the resource name.
2244					"name"?: string
2245
2246					// Namespace specifies resource namespace.
2247					"namespace"?: string
2248
2249					// Preconditions are used to determine if a policy rule should be
2250					// applied by evaluating a
2251					// set of conditions. The declaration can contain nested `any` or
2252					// `all` statements. A direct list
2253					// of conditions (without `any` or `all` statements is supported
2254					// for backwards compatibility but
2255					// will be deprecated in the next major release.
2256					// See: https://kyverno.io/docs/writing-policies/preconditions/
2257					"preconditions"?: null | bool | number | string | [...] | {
2258						...
2259					}
2260
2261					// Selector allows you to select target resources with their
2262					// labels.
2263					"selector"?: {
2264						// matchExpressions is a list of label selector requirements. The
2265						// requirements are ANDed.
2266						"matchExpressions"?: [...{
2267							// key is the label key that the selector applies to.
2268							"key"!: string
2269
2270							// operator represents a key's relationship to a set of values.
2271							// Valid operators are In, NotIn, Exists and DoesNotExist.
2272							"operator"!: string
2273
2274							// values is an array of string values. If the operator is In or
2275							// NotIn,
2276							// the values array must be non-empty. If the operator is Exists
2277							// or DoesNotExist,
2278							// the values array must be empty. This array is replaced during a
2279							// strategic
2280							// merge patch.
2281							"values"?: [...string]
2282						}]
2283
2284						// matchLabels is a map of {key,value} pairs. A single {key,value}
2285						// in the matchLabels
2286						// map is equivalent to an element of matchExpressions, whose key
2287						// field is "key", the
2288						// operator is "In", and the values array contains only "value".
2289						// The requirements are ANDed.
2290						"matchLabels"?: {
2291							[string]: string
2292						}
2293					}
2294
2295					// UID specifies the resource uid.
2296					"uid"?: string
2297				}]
2298			}
2299
2300			// Name is a label to identify the rule, It must be unique within
2301			// the policy.
2302			"name"!: strings.MaxRunes(
2303					63)
2304
2305			// Preconditions are used to determine if a policy rule should be
2306			// applied by evaluating a
2307			// set of conditions. The declaration can contain nested `any` or
2308			// `all` statements. A direct list
2309			// of conditions (without `any` or `all` statements is supported
2310			// for backwards compatibility but
2311			// will be deprecated in the next major release.
2312			// See: https://kyverno.io/docs/writing-policies/preconditions/
2313			"preconditions"?: null | bool | number | string | [...] | {
2314				...
2315			}
2316
2317			// ReportProperties are the additional properties from the rule
2318			// that will be added to the policy report result
2319			"reportProperties"?: {
2320				[string]: string
2321			}
2322
2323			// SkipBackgroundRequests bypasses admission requests that are
2324			// sent by the background controller.
2325			// The default value is set to "true", it must be set to "false"
2326			// to apply
2327			// generate and mutateExisting rules to those requests.
2328			"skipBackgroundRequests"?: bool
2329
2330			// Validation is used to validate matching resources.
2331			"validate"?: {
2332				// AllowExistingViolations allows prexisting violating resources
2333				// to continue violating a policy.
2334				"allowExistingViolations"?: bool
2335
2336				// AnyPattern specifies list of validation patterns. At least one
2337				// of the patterns
2338				// must be satisfied for the validation rule to succeed.
2339				"anyPattern"?: null | bool | number | string | [...] | {
2340					...
2341				}
2342
2343				// Assert defines a kyverno-json assertion tree.
2344				"assert"?: {
2345					...
2346				}
2347
2348				// CEL allows validation checks using the Common Expression
2349				// Language
2350				// (https://kubernetes.io/docs/reference/using-api/cel/).
2351				"cel"?: {
2352					// AuditAnnotations contains CEL expressions which are used to
2353					// produce audit annotations for the audit event of the API
2354					// request.
2355					"auditAnnotations"?: [...{
2356						// key specifies the audit annotation key. The audit annotation
2357						// keys of
2358						// a ValidatingAdmissionPolicy must be unique. The key must be a
2359						// qualified
2360						// name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in
2361						// length.
2362						//
2363						// The key is combined with the resource name of the
2364						// ValidatingAdmissionPolicy to construct an audit annotation key:
2365						// "{ValidatingAdmissionPolicy name}/{key}".
2366						//
2367						// If an admission webhook uses the same resource name as this
2368						// ValidatingAdmissionPolicy
2369						// and the same audit annotation key, the annotation key will be
2370						// identical.
2371						// In this case, the first annotation written with the key will be
2372						// included
2373						// in the audit event and all subsequent annotations with the same
2374						// key
2375						// will be discarded.
2376						//
2377						// Required.
2378						"key"!: string
2379
2380						// valueExpression represents the expression which is evaluated by
2381						// CEL to
2382						// produce an audit annotation value. The expression must evaluate
2383						// to either
2384						// a string or null value. If the expression evaluates to a
2385						// string, the
2386						// audit annotation is included with the string value. If the
2387						// expression
2388						// evaluates to null or empty string the audit annotation will be
2389						// omitted.
2390						// The valueExpression may be no longer than 5kb in length.
2391						// If the result of the valueExpression is more than 10kb in
2392						// length, it
2393						// will be truncated to 10kb.
2394						//
2395						// If multiple ValidatingAdmissionPolicyBinding resources match an
2396						// API request, then the valueExpression will be evaluated for
2397						// each binding. All unique values produced by the
2398						// valueExpressions
2399						// will be joined together in a comma-separated list.
2400						//
2401						// Required.
2402						"valueExpression"!: string
2403					}]
2404
2405					// Expressions is a list of CELExpression types.
2406					"expressions"?: [...{
2407						// Expression represents the expression which will be evaluated by
2408						// CEL.
2409						// ref: https://github.com/google/cel-spec
2410						// CEL expressions have access to the contents of the API
2411						// request/response, organized into CEL variables as well as some
2412						// other useful variables:
2413						//
2414						// - 'object' - The object from the incoming request. The value is
2415						// null for DELETE requests.
2416						// - 'oldObject' - The existing object. The value is null for
2417						// CREATE requests.
2418						// - 'request' - Attributes of the API
2419						// request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
2420						// - 'params' - Parameter resource referred to by the policy
2421						// binding being evaluated. Only populated if the policy has a
2422						// ParamKind.
2423						// - 'namespaceObject' - The namespace object that the incoming
2424						// object belongs to. The value is null for cluster-scoped
2425						// resources.
2426						// - 'variables' - Map of composited variables, from its name to
2427						// its lazily evaluated value.
2428						// For example, a variable named 'foo' can be accessed as
2429						// 'variables.foo'.
2430						// - 'authorizer' - A CEL Authorizer. May be used to perform
2431						// authorization checks for the principal (user or service
2432						// account) of the request.
2433						// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
2434						// - 'authorizer.requestResource' - A CEL ResourceCheck
2435						// constructed from the 'authorizer' and configured with the
2436						// request resource.
2437						//
2438						// The `apiVersion`, `kind`, `metadata.name` and
2439						// `metadata.generateName` are always accessible from the root of
2440						// the
2441						// object. No other metadata properties are accessible.
2442						//
2443						// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
2444						// are accessible.
2445						// Accessible property names are escaped according to the
2446						// following rules when accessed in the expression:
2447						// - '__' escapes to '__underscores__'
2448						// - '.' escapes to '__dot__'
2449						// - '-' escapes to '__dash__'
2450						// - '/' escapes to '__slash__'
2451						// - Property names that exactly match a CEL RESERVED keyword
2452						// escape to '__{keyword}__'. The keywords are:
2453						// "true", "false", "null", "in", "as", "break", "const",
2454						// "continue", "else", "for", "function", "if",
2455						// "import", "let", "loop", "package", "namespace", "return".
2456						// Examples:
2457						// - Expression accessing a property named "namespace":
2458						// {"Expression": "object.__namespace__ > 0"}
2459						// - Expression accessing a property named "x-prop":
2460						// {"Expression": "object.x__dash__prop > 0"}
2461						// - Expression accessing a property named "redact__d":
2462						// {"Expression": "object.redact__underscores__d > 0"}
2463						//
2464						// Equality on arrays with list type of 'set' or 'map' ignores
2465						// element order, i.e. [1, 2] == [2, 1].
2466						// Concatenation on arrays with x-kubernetes-list-type use the
2467						// semantics of the list type:
2468						// - 'set': `X + Y` performs a union where the array positions of
2469						// all elements in `X` are preserved and
2470						// non-intersecting elements in `Y` are appended, retaining their
2471						// partial order.
2472						// - 'map': `X + Y` performs a merge where the array positions of
2473						// all keys in `X` are preserved but the values
2474						// are overwritten by values in `Y` when the key sets of `X` and
2475						// `Y` intersect. Elements in `Y` with
2476						// non-intersecting keys are appended, retaining their partial
2477						// order.
2478						// Required.
2479						"expression"!: string
2480
2481						// Message represents the message displayed when validation fails.
2482						// The message is required if the Expression contains
2483						// line breaks. The message must not contain line breaks.
2484						// If unset, the message is "failed rule: {Rule}".
2485						// e.g. "must be a URL with the host matching spec.host"
2486						// If the Expression contains line breaks. Message is required.
2487						// The message must not contain line breaks.
2488						// If unset, the message is "failed Expression: {Expression}".
2489						"message"?: string
2490
2491						// messageExpression declares a CEL expression that evaluates to
2492						// the validation failure message that is returned when this rule
2493						// fails.
2494						// Since messageExpression is used as a failure message, it must
2495						// evaluate to a string.
2496						// If both message and messageExpression are present on a
2497						// validation, then messageExpression will be used if validation
2498						// fails.
2499						// If messageExpression results in a runtime error, the runtime
2500						// error is logged, and the validation failure message is
2501						// produced
2502						// as if the messageExpression field were unset. If
2503						// messageExpression evaluates to an empty string, a string with
2504						// only spaces, or a string
2505						// that contains line breaks, then the validation failure message
2506						// will also be produced as if the messageExpression field were
2507						// unset, and
2508						// the fact that messageExpression produced an empty string/string
2509						// with only spaces/string with line breaks will be logged.
2510						// messageExpression has access to all the same variables as the
2511						// `expression` except for 'authorizer' and
2512						// 'authorizer.requestResource'.
2513						// Example:
2514						// "object.x must be less than max ("+string(params.max)+")"
2515						"messageExpression"?: string
2516
2517						// Reason represents a machine-readable description of why this
2518						// validation failed.
2519						// If this is the first validation in the list to fail, this
2520						// reason, as well as the
2521						// corresponding HTTP response code, are used in the
2522						// HTTP response to the client.
2523						// The currently supported reasons are: "Unauthorized",
2524						// "Forbidden", "Invalid", "RequestEntityTooLarge".
2525						// If not set, StatusReasonInvalid is used in the response to the
2526						// client.
2527						"reason"?: string
2528					}]
2529
2530					// ParamKind is a tuple of Group Kind and Version.
2531					"paramKind"?: {
2532						// APIVersion is the API group version the resources belong to.
2533						// In format of "group/version".
2534						// Required.
2535						"apiVersion"?: string
2536
2537						// Kind is the API kind the resources belong to.
2538						// Required.
2539						"kind"?: string
2540					}
2541
2542					// ParamRef references a parameter resource.
2543					"paramRef"?: {
2544						// name is the name of the resource being referenced.
2545						//
2546						// One of `name` or `selector` must be set, but `name` and
2547						// `selector` are
2548						// mutually exclusive properties. If one is set, the other must be
2549						// unset.
2550						//
2551						// A single parameter used for all admission requests can be
2552						// configured
2553						// by setting the `name` field, leaving `selector` blank, and
2554						// setting namespace
2555						// if `paramKind` is namespace-scoped.
2556						"name"?: string
2557
2558						// namespace is the namespace of the referenced resource. Allows
2559						// limiting
2560						// the search for params to a specific namespace. Applies to both
2561						// `name` and
2562						// `selector` fields.
2563						//
2564						// A per-namespace parameter may be used by specifying a
2565						// namespace-scoped
2566						// `paramKind` in the policy and leaving this field empty.
2567						//
2568						// - If `paramKind` is cluster-scoped, this field MUST be unset.
2569						// Setting this
2570						// field results in a configuration error.
2571						//
2572						// - If `paramKind` is namespace-scoped, the namespace of the
2573						// object being
2574						// evaluated for admission will be used when this field is left
2575						// unset. Take
2576						// care that if this is left empty the binding must not match any
2577						// cluster-scoped
2578						// resources, which will result in an error.
2579						"namespace"?: string
2580
2581						// `parameterNotFoundAction` controls the behavior of the binding
2582						// when the resource
2583						// exists, and name or selector is valid, but there are no
2584						// parameters
2585						// matched by the binding. If the value is set to `Allow`, then no
2586						// matched parameters will be treated as successful validation by
2587						// the binding.
2588						// If set to `Deny`, then no matched parameters will be subject to
2589						// the
2590						// `failurePolicy` of the policy.
2591						//
2592						// Allowed values are `Allow` or `Deny`
2593						//
2594						// Required
2595						"parameterNotFoundAction"?: string
2596
2597						// selector can be used to match multiple param objects based on
2598						// their labels.
2599						// Supply selector: {} to match all resources of the ParamKind.
2600						//
2601						// If multiple params are found, they are all evaluated with the
2602						// policy expressions
2603						// and the results are ANDed together.
2604						//
2605						// One of `name` or `selector` must be set, but `name` and
2606						// `selector` are
2607						// mutually exclusive properties. If one is set, the other must be
2608						// unset.
2609						"selector"?: {
2610							// matchExpressions is a list of label selector requirements. The
2611							// requirements are ANDed.
2612							"matchExpressions"?: [...{
2613								// key is the label key that the selector applies to.
2614								"key"!: string
2615
2616								// operator represents a key's relationship to a set of values.
2617								// Valid operators are In, NotIn, Exists and DoesNotExist.
2618								"operator"!: string
2619
2620								// values is an array of string values. If the operator is In or
2621								// NotIn,
2622								// the values array must be non-empty. If the operator is Exists
2623								// or DoesNotExist,
2624								// the values array must be empty. This array is replaced during a
2625								// strategic
2626								// merge patch.
2627								"values"?: [...string]
2628							}]
2629
2630							// matchLabels is a map of {key,value} pairs. A single {key,value}
2631							// in the matchLabels
2632							// map is equivalent to an element of matchExpressions, whose key
2633							// field is "key", the
2634							// operator is "In", and the values array contains only "value".
2635							// The requirements are ANDed.
2636							"matchLabels"?: {
2637								[string]: string
2638							}
2639						}
2640					}
2641
2642					// Variables contain definitions of variables that can be used in
2643					// composition of other expressions.
2644					// Each variable is defined as a named CEL expression.
2645					// The variables defined here will be available under `variables`
2646					// in other expressions of the policy.
2647					"variables"?: [...{
2648						// Expression is the expression that will be evaluated as the
2649						// value of the variable.
2650						// The CEL expression has access to the same identifiers as the
2651						// CEL expressions in Validation.
2652						"expression"!: string
2653
2654						// Name is the name of the variable. The name must be a valid CEL
2655						// identifier and unique among all variables.
2656						// The variable can be accessed in other expressions through
2657						// `variables`
2658						// For example, if name is "foo", the variable will be available
2659						// as `variables.foo`
2660						"name"!: string
2661					}]
2662				}
2663
2664				// Deny defines conditions used to pass or fail a validation rule.
2665				"deny"?: {
2666					// Multiple conditions can be declared under an `any` or `all`
2667					// statement. A direct list
2668					// of conditions (without `any` or `all` statements) is also
2669					// supported for backwards compatibility
2670					// but will be deprecated in the next major release.
2671					// See:
2672					// https://kyverno.io/docs/writing-policies/validate/#deny-rules
2673					"conditions"?: null | bool | number | string | [...] | {
2674						...
2675					}
2676				}
2677
2678				// FailureAction defines if a validation policy rule violation
2679				// should block
2680				// the admission review request (Enforce), or allow (Audit) the
2681				// admission review request
2682				// and report an error in a policy report. Optional.
2683				// Allowed values are Audit or Enforce.
2684				"failureAction"?: "Audit" | "Enforce"
2685
2686				// FailureActionOverrides is a Cluster Policy attribute that
2687				// specifies FailureAction
2688				// namespace-wise. It overrides FailureAction for the specified
2689				// namespaces.
2690				"failureActionOverrides"?: [...{
2691					// ValidationFailureAction defines the policy validation failure
2692					// action
2693					"action"?: "audit" | "enforce" | "Audit" | "Enforce"
2694
2695					// A label selector is a label query over a set of resources. The
2696					// result of matchLabels and
2697					// matchExpressions are ANDed. An empty label selector matches all
2698					// objects. A null
2699					// label selector matches no objects.
2700					"namespaceSelector"?: {
2701						// matchExpressions is a list of label selector requirements. The
2702						// requirements are ANDed.
2703						"matchExpressions"?: [...{
2704							// key is the label key that the selector applies to.
2705							"key"!: string
2706
2707							// operator represents a key's relationship to a set of values.
2708							// Valid operators are In, NotIn, Exists and DoesNotExist.
2709							"operator"!: string
2710
2711							// values is an array of string values. If the operator is In or
2712							// NotIn,
2713							// the values array must be non-empty. If the operator is Exists
2714							// or DoesNotExist,
2715							// the values array must be empty. This array is replaced during a
2716							// strategic
2717							// merge patch.
2718							"values"?: [...string]
2719						}]
2720
2721						// matchLabels is a map of {key,value} pairs. A single {key,value}
2722						// in the matchLabels
2723						// map is equivalent to an element of matchExpressions, whose key
2724						// field is "key", the
2725						// operator is "In", and the values array contains only "value".
2726						// The requirements are ANDed.
2727						"matchLabels"?: {
2728							[string]: string
2729						}
2730					}
2731					"namespaces"?: [...string]
2732				}]
2733
2734				// ForEach applies validate rules to a list of sub-elements by
2735				// creating a context for each entry in the list and looping over
2736				// it to apply the specified logic.
2737				"foreach"?: [...{
2738					// AnyPattern specifies list of validation patterns. At least one
2739					// of the patterns
2740					// must be satisfied for the validation rule to succeed.
2741					"anyPattern"?: null | bool | number | string | [...] | {
2742						...
2743					}
2744
2745					// Context defines variables and data sources that can be used
2746					// during rule execution.
2747					"context"?: [...matchN(1, [{
2748						"configMap"!: _
2749					}, {
2750						"apiCall"!: _
2751					}, {
2752						"imageRegistry"!: _
2753					}, {
2754						"variable"!: _
2755					}, {
2756						"globalReference"!: _
2757					}]) & {
2758						// APICall is an HTTP request to the Kubernetes API server, or
2759						// other JSON web service.
2760						// The data returned is stored in the context with the name for
2761						// the context entry.
2762						"apiCall"?: {
2763							// The data object specifies the POST data sent to the server.
2764							// Only applicable when the method field is set to POST.
2765							"data"?: [...{
2766								// Key is a unique identifier for the data value
2767								"key"!: string
2768
2769								// Value is the data value
2770								"value"!: null | bool | number | string | [...] | {
2771									...
2772								}
2773							}]
2774
2775							// Default is an optional arbitrary JSON object that the context
2776							// value is set to, if the apiCall returns error.
2777							"default"?: null | bool | number | string | [...] | {
2778								...
2779							}
2780
2781							// JMESPath is an optional JSON Match Expression that can be used
2782							// to
2783							// transform the JSON response returned from the server. For
2784							// example
2785							// a JMESPath of "items | length(@)" applied to the API server
2786							// response
2787							// for the URLPath "/apis/apps/v1/deployments" will return the
2788							// total count
2789							// of deployments across all namespaces.
2790							"jmesPath"?: string
2791
2792							// Method is the HTTP request type (GET or POST). Defaults to GET.
2793							"method"?: "GET" | "POST"
2794
2795							// Service is an API call to a JSON web service.
2796							// This is used for non-Kubernetes API server calls.
2797							// It's mutually exclusive with the URLPath field.
2798							"service"?: {
2799								// CABundle is a PEM encoded CA bundle which will be used to
2800								// validate
2801								// the server certificate.
2802								"caBundle"?: string
2803
2804								// Headers is a list of optional HTTP headers to be included in
2805								// the request.
2806								"headers"?: [...{
2807									// Key is the header key
2808									"key"!: string
2809
2810									// Value is the header value
2811									"value"!: string
2812								}]
2813
2814								// URL is the JSON web service URL. A typical form is
2815								// `https://{service}.{namespace}:{port}/{path}`.
2816								"url"!: string
2817							}
2818
2819							// URLPath is the URL path to be used in the HTTP GET or POST
2820							// request to the
2821							// Kubernetes API server (e.g. "/api/v1/namespaces" or
2822							// "/apis/apps/v1/deployments").
2823							// The format required is the same format used by the `kubectl get
2824							// --raw` command.
2825							// See
2826							// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
2827							// for details.
2828							// It's mutually exclusive with the Service field.
2829							"urlPath"?: string
2830						}
2831
2832						// ConfigMap is the ConfigMap reference.
2833						"configMap"?: {
2834							// Name is the ConfigMap name.
2835							"name"!: string
2836
2837							// Namespace is the ConfigMap namespace.
2838							"namespace"?: string
2839						}
2840
2841						// GlobalContextEntryReference is a reference to a cached global
2842						// context entry.
2843						"globalReference"?: {
2844							// JMESPath is an optional JSON Match Expression that can be used
2845							// to
2846							// transform the JSON response returned from the server. For
2847							// example
2848							// a JMESPath of "items | length(@)" applied to the API server
2849							// response
2850							// for the URLPath "/apis/apps/v1/deployments" will return the
2851							// total count
2852							// of deployments across all namespaces.
2853							"jmesPath"?: string
2854
2855							// Name of the global context entry
2856							"name"!: string
2857						}
2858
2859						// ImageRegistry defines requests to an OCI/Docker V2 registry to
2860						// fetch image
2861						// details.
2862						"imageRegistry"?: {
2863							// ImageRegistryCredentials provides credentials that will be used
2864							// for authentication with registry
2865							"imageRegistryCredentials"?: {
2866								// AllowInsecureRegistry allows insecure access to a registry.
2867								"allowInsecureRegistry"?: bool
2868
2869								// Providers specifies a list of OCI Registry names, whose
2870								// authentication providers are provided.
2871								// It can be of one of these values:
2872								// default,google,azure,amazon,github.
2873								"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
2874
2875								// Secrets specifies a list of secrets that are provided for
2876								// credentials.
2877								// Secrets must live in the Kyverno namespace.
2878								"secrets"?: [...string]
2879							}
2880
2881							// JMESPath is an optional JSON Match Expression that can be used
2882							// to
2883							// transform the ImageData struct returned as a result of
2884							// processing
2885							// the image reference.
2886							"jmesPath"?: string
2887
2888							// Reference is image reference to a container image in the
2889							// registry.
2890							// Example: ghcr.io/kyverno/kyverno:latest
2891							"reference"!: string
2892						}
2893
2894						// Name is the variable name.
2895						"name"!: string
2896
2897						// Variable defines an arbitrary JMESPath context variable that
2898						// can be defined inline.
2899						"variable"?: {
2900							// Default is an optional arbitrary JSON object that the variable
2901							// may take if the JMESPath
2902							// expression evaluates to nil
2903							"default"?: null | bool | number | string | [...] | {
2904								...
2905							}
2906
2907							// JMESPath is an optional JMESPath Expression that can be used to
2908							// transform the variable.
2909							"jmesPath"?: string
2910
2911							// Value is any arbitrary JSON object representable in YAML or
2912							// JSON form.
2913							"value"?: null | bool | number | string | [...] | {
2914								...
2915							}
2916						}
2917					}]
2918
2919					// Deny defines conditions used to pass or fail a validation rule.
2920					"deny"?: {
2921						// Multiple conditions can be declared under an `any` or `all`
2922						// statement. A direct list
2923						// of conditions (without `any` or `all` statements) is also
2924						// supported for backwards compatibility
2925						// but will be deprecated in the next major release.
2926						// See:
2927						// https://kyverno.io/docs/writing-policies/validate/#deny-rules
2928						"conditions"?: null | bool | number | string | [...] | {
2929							...
2930						}
2931					}
2932
2933					// ElementScope specifies whether to use the current list element
2934					// as the scope for validation. Defaults to "true" if not
2935					// specified.
2936					// When set to "false", "request.object" is used as the validation
2937					// scope within the foreach
2938					// block to allow referencing other elements in the subtree.
2939					"elementScope"?: bool
2940
2941					// Foreach declares a nested foreach iterator
2942					"foreach"?: null | bool | number | string | [...] | {
2943						...
2944					}
2945
2946					// List specifies a JMESPath expression that results in one or
2947					// more elements
2948					// to which the validation logic is applied.
2949					"list"?: string
2950
2951					// Pattern specifies an overlay-style pattern used to check
2952					// resources.
2953					"pattern"?: null | bool | number | string | [...] | {
2954						...
2955					}
2956
2957					// AnyAllConditions are used to determine if a policy rule should
2958					// be applied by evaluating a
2959					// set of conditions. The declaration can contain nested `any` or
2960					// `all` statements.
2961					// See: https://kyverno.io/docs/writing-policies/preconditions/
2962					"preconditions"?: {
2963						// AllConditions enable variable-based conditional rule execution.
2964						// This is useful for
2965						// finer control of when an rule is applied. A condition can
2966						// reference object data
2967						// using JMESPath notation.
2968						// Here, all of the conditions need to pass
2969						"all"?: [...{
2970							// Key is the context entry (using JMESPath) for conditional rule
2971							// evaluation.
2972							"key"?: null | bool | number | string | [...] | {
2973								...
2974							}
2975
2976							// Message is an optional display message
2977							"message"?: string
2978
2979							// Operator is the conditional operation to perform. Valid
2980							// operators are:
2981							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2982							// GreaterThanOrEquals,
2983							// GreaterThan, LessThanOrEquals, LessThan,
2984							// DurationGreaterThanOrEquals, DurationGreaterThan,
2985							// DurationLessThanOrEquals, DurationLessThan
2986							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2987
2988							// Value is the conditional value, or set of values. The values
2989							// can be fixed set
2990							// or can be variables declared using JMESPath.
2991							"value"?: null | bool | number | string | [...] | {
2992								...
2993							}
2994						}]
2995
2996						// AnyConditions enable variable-based conditional rule execution.
2997						// This is useful for
2998						// finer control of when an rule is applied. A condition can
2999						// reference object data
3000						// using JMESPath notation.
3001						// Here, at least one of the conditions need to pass
3002						"any"?: [...{
3003							// Key is the context entry (using JMESPath) for conditional rule
3004							// evaluation.
3005							"key"?: null | bool | number | string | [...] | {
3006								...
3007							}
3008
3009							// Message is an optional display message
3010							"message"?: string
3011
3012							// Operator is the conditional operation to perform. Valid
3013							// operators are:
3014							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
3015							// GreaterThanOrEquals,
3016							// GreaterThan, LessThanOrEquals, LessThan,
3017							// DurationGreaterThanOrEquals, DurationGreaterThan,
3018							// DurationLessThanOrEquals, DurationLessThan
3019							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
3020
3021							// Value is the conditional value, or set of values. The values
3022							// can be fixed set
3023							// or can be variables declared using JMESPath.
3024							"value"?: null | bool | number | string | [...] | {
3025								...
3026							}
3027						}]
3028						...
3029					}
3030				}]
3031
3032				// Manifest specifies conditions for manifest verification
3033				"manifests"?: {
3034					// AnnotationDomain is custom domain of annotation for message and
3035					// signature. Default is "cosign.sigstore.dev".
3036					"annotationDomain"?: string
3037
3038					// Attestors specified the required attestors (i.e. authorities)
3039					"attestors"?: [...{
3040						// Count specifies the required number of entries that must match.
3041						// If the count is null, all entries must match
3042						// (a logical AND). If the count is 1, at least one entry must
3043						// match (a logical OR). If the count contains a
3044						// value N, then N must be less than or equal to the size of
3045						// entries, and at least N entries must match.
3046						"count"?: int & >=1
3047
3048						// Entries contains the available attestors. An attestor can be a
3049						// static key,
3050						// attributes for keyless verification, or a nested attestor
3051						// declaration.
3052						"entries"?: [...{
3053							// Annotations are used for image verification.
3054							// Every specified key-value pair must exist and match in the
3055							// verified payload.
3056							// The payload may contain other key-value pairs.
3057							"annotations"?: [string]: string
3058
3059							// Attestor is a nested set of Attestor used to specify a more
3060							// complex set of match authorities.
3061							"attestor"?: null | bool | number | string | [...] | {
3062								...
3063							}
3064
3065							// Certificates specifies one or more certificates.
3066							"certificates"?: {
3067								// Cert is an optional PEM-encoded public certificate.
3068								"cert"?: string
3069
3070								// CertChain is an optional PEM encoded set of certificates used
3071								// to verify.
3072								"certChain"?: string
3073
3074								// CTLog (certificate timestamp log) provides a configuration for
3075								// validation of Signed Certificate
3076								// Timestamps (SCTs). If the value is unset, the default behavior
3077								// by Cosign is used.
3078								"ctlog"?: {
3079									// IgnoreSCT defines whether to use the Signed Certificate
3080									// Timestamp (SCT) log to check for a certificate
3081									// timestamp. Default is false. Set to true if this was opted out
3082									// during signing.
3083									"ignoreSCT"?: bool
3084
3085									// PubKey, if set, is used to validate SCTs against a custom
3086									// source.
3087									"pubkey"?: string
3088
3089									// TSACertChain, if set, is the PEM-encoded certificate chain file
3090									// for the RFC3161 timestamp authority. Must
3091									// contain the root CA certificate. Optionally may contain
3092									// intermediate CA certificates, and
3093									// may contain the leaf TSA certificate if not present in the
3094									// timestamurce.
3095									"tsaCertChain"?: string
3096								}
3097
3098								// Rekor provides configuration for the Rekor transparency log
3099								// service. If an empty object
3100								// is provided the public instance of Rekor
3101								// (https://rekor.sigstore.dev) is used.
3102								"rekor"?: {
3103									// IgnoreTlog skips transparency log verification.
3104									"ignoreTlog"?: bool
3105
3106									// RekorPubKey is an optional PEM-encoded public key to use for a
3107									// custom Rekor.
3108									// If set, this will be used to validate transparency log
3109									// signatures from a custom Rekor.
3110									"pubkey"?: string
3111
3112									// URL is the address of the transparency log. Defaults to the
3113									// public Rekor log instance https://rekor.sigstore.dev.
3114									"url"?: string
3115								}
3116							}
3117
3118							// Keyless is a set of attribute used to verify a Sigstore keyless
3119							// attestor.
3120							// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
3121							"keyless"?: {
3122								// AdditionalExtensions are certificate-extensions used for
3123								// keyless signing.
3124								"additionalExtensions"?: [string]: string
3125
3126								// CTLog (certificate timestamp log) provides a configuration for
3127								// validation of Signed Certificate
3128								// Timestamps (SCTs). If the value is unset, the default behavior
3129								// by Cosign is used.
3130								"ctlog"?: {
3131									// IgnoreSCT defines whether to use the Signed Certificate
3132									// Timestamp (SCT) log to check for a certificate
3133									// timestamp. Default is false. Set to true if this was opted out
3134									// during signing.
3135									"ignoreSCT"?: bool
3136
3137									// PubKey, if set, is used to validate SCTs against a custom
3138									// source.
3139									"pubkey"?: string
3140
3141									// TSACertChain, if set, is the PEM-encoded certificate chain file
3142									// for the RFC3161 timestamp authority. Must
3143									// contain the root CA certificate. Optionally may contain
3144									// intermediate CA certificates, and
3145									// may contain the leaf TSA certificate if not present in the
3146									// timestamurce.
3147									"tsaCertChain"?: string
3148								}
3149
3150								// Issuer is the certificate issuer used for keyless signing.
3151								"issuer"?: string
3152
3153								// IssuerRegExp is the regular expression to match certificate
3154								// issuer used for keyless signing.
3155								"issuerRegExp"?: string
3156
3157								// Rekor provides configuration for the Rekor transparency log
3158								// service. If an empty object
3159								// is provided the public instance of Rekor
3160								// (https://rekor.sigstore.dev) is used.
3161								"rekor"?: {
3162									// IgnoreTlog skips transparency log verification.
3163									"ignoreTlog"?: bool
3164
3165									// RekorPubKey is an optional PEM-encoded public key to use for a
3166									// custom Rekor.
3167									// If set, this will be used to validate transparency log
3168									// signatures from a custom Rekor.
3169									"pubkey"?: string
3170
3171									// URL is the address of the transparency log. Defaults to the
3172									// public Rekor log instance https://rekor.sigstore.dev.
3173									"url"?: string
3174								}
3175
3176								// Roots is an optional set of PEM encoded trusted root
3177								// certificates.
3178								// If not provided, the system roots are used.
3179								"roots"?: string
3180
3181								// Subject is the verified identity used for keyless signing, for
3182								// example the email address.
3183								"subject"?: string
3184
3185								// SubjectRegExp is the regular expression to match identity used
3186								// for keyless signing, for example the email address.
3187								"subjectRegExp"?: string
3188							}
3189
3190							// Keys specifies one or more public keys.
3191							"keys"?: {
3192								// CTLog (certificate timestamp log) provides a configuration for
3193								// validation of Signed Certificate
3194								// Timestamps (SCTs). If the value is unset, the default behavior
3195								// by Cosign is used.
3196								"ctlog"?: {
3197									// IgnoreSCT defines whether to use the Signed Certificate
3198									// Timestamp (SCT) log to check for a certificate
3199									// timestamp. Default is false. Set to true if this was opted out
3200									// during signing.
3201									"ignoreSCT"?: bool
3202
3203									// PubKey, if set, is used to validate SCTs against a custom
3204									// source.
3205									"pubkey"?: string
3206
3207									// TSACertChain, if set, is the PEM-encoded certificate chain file
3208									// for the RFC3161 timestamp authority. Must
3209									// contain the root CA certificate. Optionally may contain
3210									// intermediate CA certificates, and
3211									// may contain the leaf TSA certificate if not present in the
3212									// timestamurce.
3213									"tsaCertChain"?: string
3214								}
3215
3216								// KMS provides the URI to the public key stored in a Key
3217								// Management System. See:
3218								// https://github.com/sigstore/cosign/blob/main/KMS.md
3219								"kms"?: string
3220
3221								// Keys is a set of X.509 public keys used to verify image
3222								// signatures. The keys can be directly
3223								// specified or can be a variable reference to a key specified in
3224								// a ConfigMap (see
3225								// https://kyverno.io/docs/writing-policies/variables/), or
3226								// reference a standard Kubernetes Secret
3227								// elsewhere in the cluster by specifying it in the format
3228								// "k8s://<namespace>/<secret_name>".
3229								// The named Secret must specify a key `cosign.pub` containing the
3230								// public key used for
3231								// verification, (see
3232								// https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
3233								// When multiple keys are specified each key is processed as a
3234								// separate staticKey entry
3235								// (.attestors[*].entries.keys) within the set of attestors and
3236								// the count is applied across the keys.
3237								"publicKeys"?: string
3238
3239								// Rekor provides configuration for the Rekor transparency log
3240								// service. If an empty object
3241								// is provided the public instance of Rekor
3242								// (https://rekor.sigstore.dev) is used.
3243								"rekor"?: {
3244									// IgnoreTlog skips transparency log verification.
3245									"ignoreTlog"?: bool
3246
3247									// RekorPubKey is an optional PEM-encoded public key to use for a
3248									// custom Rekor.
3249									// If set, this will be used to validate transparency log
3250									// signatures from a custom Rekor.
3251									"pubkey"?: string
3252
3253									// URL is the address of the transparency log. Defaults to the
3254									// public Rekor log instance https://rekor.sigstore.dev.
3255									"url"?: string
3256								}
3257
3258								// Reference to a Secret resource that contains a public key
3259								"secret"?: {
3260									// Name of the secret. The provided secret must contain a key
3261									// named cosign.pub.
3262									"name"!: string
3263
3264									// Namespace name where the Secret exists.
3265									"namespace"!: string
3266								}
3267
3268								// Deprecated. Use attestor.signatureAlgorithm instead.
3269								"signatureAlgorithm"?: string
3270							}
3271
3272							// Repository is an optional alternate OCI repository to use for
3273							// signatures and attestations that match this rule.
3274							// If specified Repository will override other OCI image
3275							// repository locations for this Attestor.
3276							"repository"?: string
3277
3278							// Specify signature algorithm for public keys. Supported values
3279							// are sha224, sha256, sha384 and sha512.
3280							"signatureAlgorithm"?: string
3281						}]
3282					}]
3283
3284					// DryRun configuration
3285					"dryRun"?: {
3286						"enable"?:    bool
3287						"namespace"?: string
3288					}
3289
3290					// Fields which will be ignored while comparing manifests.
3291					"ignoreFields"?: [...{
3292						"fields"?: [...string]
3293						"objects"?: [...{
3294							"group"?:     string
3295							"kind"?:      string
3296							"name"?:      string
3297							"namespace"?: string
3298							"version"?:   string
3299						}]
3300					}]
3301
3302					// Repository is an optional alternate OCI repository to use for
3303					// resource bundle reference.
3304					// The repository can be overridden per Attestor or Attestation.
3305					"repository"?: string
3306				}
3307
3308				// Message specifies a custom message to be displayed on failure.
3309				"message"?: string
3310
3311				// Pattern specifies an overlay-style pattern used to check
3312				// resources.
3313				"pattern"?: null | bool | number | string | [...] | {
3314					...
3315				}
3316
3317				// PodSecurity applies exemptions for Kubernetes Pod Security
3318				// admission
3319				// by specifying exclusions for Pod Security Standards controls.
3320				"podSecurity"?: {
3321					// Exclude specifies the Pod Security Standard controls to be
3322					// excluded.
3323					"exclude"?: [...{
3324						// ControlName specifies the name of the Pod Security Standard
3325						// control.
3326						// See:
3327						// https://kubernetes.io/docs/concepts/security/pod-security-standards/
3328						"controlName"!: "HostProcess" | "Host Namespaces" | "Privileged Containers" | "Capabilities" | "HostPath Volumes" | "Host Ports" | "AppArmor" | "SELinux" | "/proc Mount Type" | "Seccomp" | "Sysctls" | "Volume Types" | "Privilege Escalation" | "Running as Non-root" | "Running as Non-root user"
3329
3330						// Images selects matching containers and applies the container
3331						// level PSS.
3332						// Each image is the image name consisting of the registry
3333						// address, repository, image, and tag.
3334						// Empty list matches no containers, PSS checks are applied at the
3335						// pod level only.
3336						// Wildcards ('*' and '?') are allowed. See:
3337						// https://kubernetes.io/docs/concepts/containers/images.
3338						"images"?: [...string]
3339
3340						// RestrictedField selects the field for the given Pod Security
3341						// Standard control.
3342						// When not set, all restricted fields for the control are
3343						// selected.
3344						"restrictedField"?: string
3345
3346						// Values defines the allowed values that can be excluded.
3347						"values"?: [...string]
3348					}]
3349
3350					// Level defines the Pod Security Standard level to be applied to
3351					// workloads.
3352					// Allowed values are privileged, baseline, and restricted.
3353					"level"?: "privileged" | "baseline" | "restricted"
3354
3355					// Version defines the Pod Security Standard versions that
3356					// Kubernetes supports.
3357					// Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
3358					// v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
3359					"version"?: "v1.19" | "v1.20" | "v1.21" | "v1.22" | "v1.23" | "v1.24" | "v1.25" | "v1.26" | "v1.27" | "v1.28" | "v1.29" | "latest"
3360				}
3361			}
3362
3363			// VerifyImages is used to verify image signatures and mutate them
3364			// to add a digest
3365			"verifyImages"?: [...{
3366				// Deprecated.
3367				"additionalExtensions"?: [string]: string
3368
3369				// Deprecated. Use annotations per Attestor instead.
3370				"annotations"?: {
3371					[string]: string
3372				}
3373
3374				// Attestations are optional checks for signed in-toto Statements
3375				// used to verify the image.
3376				// See https://github.com/in-toto/attestation. Kyverno fetches
3377				// signed attestations from the
3378				// OCI registry and decodes them into a list of Statement
3379				// declarations.
3380				"attestations"?: [...{
3381					// Attestors specify the required attestors (i.e. authorities).
3382					"attestors"?: [...{
3383						// Count specifies the required number of entries that must match.
3384						// If the count is null, all entries must match
3385						// (a logical AND). If the count is 1, at least one entry must
3386						// match (a logical OR). If the count contains a
3387						// value N, then N must be less than or equal to the size of
3388						// entries, and at least N entries must match.
3389						"count"?: int & >=1
3390
3391						// Entries contains the available attestors. An attestor can be a
3392						// static key,
3393						// attributes for keyless verification, or a nested attestor
3394						// declaration.
3395						"entries"?: [...{
3396							// Annotations are used for image verification.
3397							// Every specified key-value pair must exist and match in the
3398							// verified payload.
3399							// The payload may contain other key-value pairs.
3400							"annotations"?: [string]: string
3401
3402							// Attestor is a nested set of Attestor used to specify a more
3403							// complex set of match authorities.
3404							"attestor"?: null | bool | number | string | [...] | {
3405								...
3406							}
3407
3408							// Certificates specifies one or more certificates.
3409							"certificates"?: {
3410								// Cert is an optional PEM-encoded public certificate.
3411								"cert"?: string
3412
3413								// CertChain is an optional PEM encoded set of certificates used
3414								// to verify.
3415								"certChain"?: string
3416
3417								// CTLog (certificate timestamp log) provides a configuration for
3418								// validation of Signed Certificate
3419								// Timestamps (SCTs). If the value is unset, the default behavior
3420								// by Cosign is used.
3421								"ctlog"?: {
3422									// IgnoreSCT defines whether to use the Signed Certificate
3423									// Timestamp (SCT) log to check for a certificate
3424									// timestamp. Default is false. Set to true if this was opted out
3425									// during signing.
3426									"ignoreSCT"?: bool
3427
3428									// PubKey, if set, is used to validate SCTs against a custom
3429									// source.
3430									"pubkey"?: string
3431
3432									// TSACertChain, if set, is the PEM-encoded certificate chain file
3433									// for the RFC3161 timestamp authority. Must
3434									// contain the root CA certificate. Optionally may contain
3435									// intermediate CA certificates, and
3436									// may contain the leaf TSA certificate if not present in the
3437									// timestamurce.
3438									"tsaCertChain"?: string
3439								}
3440
3441								// Rekor provides configuration for the Rekor transparency log
3442								// service. If an empty object
3443								// is provided the public instance of Rekor
3444								// (https://rekor.sigstore.dev) is used.
3445								"rekor"?: {
3446									// IgnoreTlog skips transparency log verification.
3447									"ignoreTlog"?: bool
3448
3449									// RekorPubKey is an optional PEM-encoded public key to use for a
3450									// custom Rekor.
3451									// If set, this will be used to validate transparency log
3452									// signatures from a custom Rekor.
3453									"pubkey"?: string
3454
3455									// URL is the address of the transparency log. Defaults to the
3456									// public Rekor log instance https://rekor.sigstore.dev.
3457									"url"?: string
3458								}
3459							}
3460
3461							// Keyless is a set of attribute used to verify a Sigstore keyless
3462							// attestor.
3463							// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
3464							"keyless"?: {
3465								// AdditionalExtensions are certificate-extensions used for
3466								// keyless signing.
3467								"additionalExtensions"?: [string]: string
3468
3469								// CTLog (certificate timestamp log) provides a configuration for
3470								// validation of Signed Certificate
3471								// Timestamps (SCTs). If the value is unset, the default behavior
3472								// by Cosign is used.
3473								"ctlog"?: {
3474									// IgnoreSCT defines whether to use the Signed Certificate
3475									// Timestamp (SCT) log to check for a certificate
3476									// timestamp. Default is false. Set to true if this was opted out
3477									// during signing.
3478									"ignoreSCT"?: bool
3479
3480									// PubKey, if set, is used to validate SCTs against a custom
3481									// source.
3482									"pubkey"?: string
3483
3484									// TSACertChain, if set, is the PEM-encoded certificate chain file
3485									// for the RFC3161 timestamp authority. Must
3486									// contain the root CA certificate. Optionally may contain
3487									// intermediate CA certificates, and
3488									// may contain the leaf TSA certificate if not present in the
3489									// timestamurce.
3490									"tsaCertChain"?: string
3491								}
3492
3493								// Issuer is the certificate issuer used for keyless signing.
3494								"issuer"?: string
3495
3496								// IssuerRegExp is the regular expression to match certificate
3497								// issuer used for keyless signing.
3498								"issuerRegExp"?: string
3499
3500								// Rekor provides configuration for the Rekor transparency log
3501								// service. If an empty object
3502								// is provided the public instance of Rekor
3503								// (https://rekor.sigstore.dev) is used.
3504								"rekor"?: {
3505									// IgnoreTlog skips transparency log verification.
3506									"ignoreTlog"?: bool
3507
3508									// RekorPubKey is an optional PEM-encoded public key to use for a
3509									// custom Rekor.
3510									// If set, this will be used to validate transparency log
3511									// signatures from a custom Rekor.
3512									"pubkey"?: string
3513
3514									// URL is the address of the transparency log. Defaults to the
3515									// public Rekor log instance https://rekor.sigstore.dev.
3516									"url"?: string
3517								}
3518
3519								// Roots is an optional set of PEM encoded trusted root
3520								// certificates.
3521								// If not provided, the system roots are used.
3522								"roots"?: string
3523
3524								// Subject is the verified identity used for keyless signing, for
3525								// example the email address.
3526								"subject"?: string
3527
3528								// SubjectRegExp is the regular expression to match identity used
3529								// for keyless signing, for example the email address.
3530								"subjectRegExp"?: string
3531							}
3532
3533							// Keys specifies one or more public keys.
3534							"keys"?: {
3535								// CTLog (certificate timestamp log) provides a configuration for
3536								// validation of Signed Certificate
3537								// Timestamps (SCTs). If the value is unset, the default behavior
3538								// by Cosign is used.
3539								"ctlog"?: {
3540									// IgnoreSCT defines whether to use the Signed Certificate
3541									// Timestamp (SCT) log to check for a certificate
3542									// timestamp. Default is false. Set to true if this was opted out
3543									// during signing.
3544									"ignoreSCT"?: bool
3545
3546									// PubKey, if set, is used to validate SCTs against a custom
3547									// source.
3548									"pubkey"?: string
3549
3550									// TSACertChain, if set, is the PEM-encoded certificate chain file
3551									// for the RFC3161 timestamp authority. Must
3552									// contain the root CA certificate. Optionally may contain
3553									// intermediate CA certificates, and
3554									// may contain the leaf TSA certificate if not present in the
3555									// timestamurce.
3556									"tsaCertChain"?: string
3557								}
3558
3559								// KMS provides the URI to the public key stored in a Key
3560								// Management System. See:
3561								// https://github.com/sigstore/cosign/blob/main/KMS.md
3562								"kms"?: string
3563
3564								// Keys is a set of X.509 public keys used to verify image
3565								// signatures. The keys can be directly
3566								// specified or can be a variable reference to a key specified in
3567								// a ConfigMap (see
3568								// https://kyverno.io/docs/writing-policies/variables/), or
3569								// reference a standard Kubernetes Secret
3570								// elsewhere in the cluster by specifying it in the format
3571								// "k8s://<namespace>/<secret_name>".
3572								// The named Secret must specify a key `cosign.pub` containing the
3573								// public key used for
3574								// verification, (see
3575								// https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
3576								// When multiple keys are specified each key is processed as a
3577								// separate staticKey entry
3578								// (.attestors[*].entries.keys) within the set of attestors and
3579								// the count is applied across the keys.
3580								"publicKeys"?: string
3581
3582								// Rekor provides configuration for the Rekor transparency log
3583								// service. If an empty object
3584								// is provided the public instance of Rekor
3585								// (https://rekor.sigstore.dev) is used.
3586								"rekor"?: {
3587									// IgnoreTlog skips transparency log verification.
3588									"ignoreTlog"?: bool
3589
3590									// RekorPubKey is an optional PEM-encoded public key to use for a
3591									// custom Rekor.
3592									// If set, this will be used to validate transparency log
3593									// signatures from a custom Rekor.
3594									"pubkey"?: string
3595
3596									// URL is the address of the transparency log. Defaults to the
3597									// public Rekor log instance https://rekor.sigstore.dev.
3598									"url"?: string
3599								}
3600
3601								// Reference to a Secret resource that contains a public key
3602								"secret"?: {
3603									// Name of the secret. The provided secret must contain a key
3604									// named cosign.pub.
3605									"name"!: string
3606
3607									// Namespace name where the Secret exists.
3608									"namespace"!: string
3609								}
3610
3611								// Deprecated. Use attestor.signatureAlgorithm instead.
3612								"signatureAlgorithm"?: string
3613							}
3614
3615							// Repository is an optional alternate OCI repository to use for
3616							// signatures and attestations that match this rule.
3617							// If specified Repository will override other OCI image
3618							// repository locations for this Attestor.
3619							"repository"?: string
3620
3621							// Specify signature algorithm for public keys. Supported values
3622							// are sha224, sha256, sha384 and sha512.
3623							"signatureAlgorithm"?: string
3624						}]
3625					}]
3626
3627					// Conditions are used to verify attributes within a Predicate. If
3628					// no Conditions are specified
3629					// the attestation check is satisfied as long there are predicates
3630					// that match the predicate type.
3631					"conditions"?: [...{
3632						// AllConditions enable variable-based conditional rule execution.
3633						// This is useful for
3634						// finer control of when an rule is applied. A condition can
3635						// reference object data
3636						// using JMESPath notation.
3637						// Here, all of the conditions need to pass
3638						"all"?: [...{
3639							// Key is the context entry (using JMESPath) for conditional rule
3640							// evaluation.
3641							"key"?: null | bool | number | string | [...] | {
3642								...
3643							}
3644
3645							// Message is an optional display message
3646							"message"?: string
3647
3648							// Operator is the conditional operation to perform. Valid
3649							// operators are:
3650							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
3651							// GreaterThanOrEquals,
3652							// GreaterThan, LessThanOrEquals, LessThan,
3653							// DurationGreaterThanOrEquals, DurationGreaterThan,
3654							// DurationLessThanOrEquals, DurationLessThan
3655							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
3656
3657							// Value is the conditional value, or set of values. The values
3658							// can be fixed set
3659							// or can be variables declared using JMESPath.
3660							"value"?: null | bool | number | string | [...] | {
3661								...
3662							}
3663						}]
3664
3665						// AnyConditions enable variable-based conditional rule execution.
3666						// This is useful for
3667						// finer control of when an rule is applied. A condition can
3668						// reference object data
3669						// using JMESPath notation.
3670						// Here, at least one of the conditions need to pass
3671						"any"?: [...{
3672							// Key is the context entry (using JMESPath) for conditional rule
3673							// evaluation.
3674							"key"?: null | bool | number | string | [...] | {
3675								...
3676							}
3677
3678							// Message is an optional display message
3679							"message"?: string
3680
3681							// Operator is the conditional operation to perform. Valid
3682							// operators are:
3683							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
3684							// GreaterThanOrEquals,
3685							// GreaterThan, LessThanOrEquals, LessThan,
3686							// DurationGreaterThanOrEquals, DurationGreaterThan,
3687							// DurationLessThanOrEquals, DurationLessThan
3688							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
3689
3690							// Value is the conditional value, or set of values. The values
3691							// can be fixed set
3692							// or can be variables declared using JMESPath.
3693							"value"?: null | bool | number | string | [...] | {
3694								...
3695							}
3696						}]
3697					}]
3698
3699					// Name is the variable name.
3700					"name"?: string
3701
3702					// Deprecated in favour of 'Type', to be removed soon
3703					"predicateType"?: string
3704
3705					// Type defines the type of attestation contained within the
3706					// Statement.
3707					"type"?: string
3708				}]
3709
3710				// Attestors specified the required attestors (i.e. authorities)
3711				"attestors"?: [...{
3712					// Count specifies the required number of entries that must match.
3713					// If the count is null, all entries must match
3714					// (a logical AND). If the count is 1, at least one entry must
3715					// match (a logical OR). If the count contains a
3716					// value N, then N must be less than or equal to the size of
3717					// entries, and at least N entries must match.
3718					"count"?: int & >=1
3719
3720					// Entries contains the available attestors. An attestor can be a
3721					// static key,
3722					// attributes for keyless verification, or a nested attestor
3723					// declaration.
3724					"entries"?: [...{
3725						// Annotations are used for image verification.
3726						// Every specified key-value pair must exist and match in the
3727						// verified payload.
3728						// The payload may contain other key-value pairs.
3729						"annotations"?: [string]: string
3730
3731						// Attestor is a nested set of Attestor used to specify a more
3732						// complex set of match authorities.
3733						"attestor"?: null | bool | number | string | [...] | {
3734							...
3735						}
3736
3737						// Certificates specifies one or more certificates.
3738						"certificates"?: {
3739							// Cert is an optional PEM-encoded public certificate.
3740							"cert"?: string
3741
3742							// CertChain is an optional PEM encoded set of certificates used
3743							// to verify.
3744							"certChain"?: string
3745
3746							// CTLog (certificate timestamp log) provides a configuration for
3747							// validation of Signed Certificate
3748							// Timestamps (SCTs). If the value is unset, the default behavior
3749							// by Cosign is used.
3750							"ctlog"?: {
3751								// IgnoreSCT defines whether to use the Signed Certificate
3752								// Timestamp (SCT) log to check for a certificate
3753								// timestamp. Default is false. Set to true if this was opted out
3754								// during signing.
3755								"ignoreSCT"?: bool
3756
3757								// PubKey, if set, is used to validate SCTs against a custom
3758								// source.
3759								"pubkey"?: string
3760
3761								// TSACertChain, if set, is the PEM-encoded certificate chain file
3762								// for the RFC3161 timestamp authority. Must
3763								// contain the root CA certificate. Optionally may contain
3764								// intermediate CA certificates, and
3765								// may contain the leaf TSA certificate if not present in the
3766								// timestamurce.
3767								"tsaCertChain"?: string
3768							}
3769
3770							// Rekor provides configuration for the Rekor transparency log
3771							// service. If an empty object
3772							// is provided the public instance of Rekor
3773							// (https://rekor.sigstore.dev) is used.
3774							"rekor"?: {
3775								// IgnoreTlog skips transparency log verification.
3776								"ignoreTlog"?: bool
3777
3778								// RekorPubKey is an optional PEM-encoded public key to use for a
3779								// custom Rekor.
3780								// If set, this will be used to validate transparency log
3781								// signatures from a custom Rekor.
3782								"pubkey"?: string
3783
3784								// URL is the address of the transparency log. Defaults to the
3785								// public Rekor log instance https://rekor.sigstore.dev.
3786								"url"?: string
3787							}
3788						}
3789
3790						// Keyless is a set of attribute used to verify a Sigstore keyless
3791						// attestor.
3792						// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
3793						"keyless"?: {
3794							// AdditionalExtensions are certificate-extensions used for
3795							// keyless signing.
3796							"additionalExtensions"?: [string]: string
3797
3798							// CTLog (certificate timestamp log) provides a configuration for
3799							// validation of Signed Certificate
3800							// Timestamps (SCTs). If the value is unset, the default behavior
3801							// by Cosign is used.
3802							"ctlog"?: {
3803								// IgnoreSCT defines whether to use the Signed Certificate
3804								// Timestamp (SCT) log to check for a certificate
3805								// timestamp. Default is false. Set to true if this was opted out
3806								// during signing.
3807								"ignoreSCT"?: bool
3808
3809								// PubKey, if set, is used to validate SCTs against a custom
3810								// source.
3811								"pubkey"?: string
3812
3813								// TSACertChain, if set, is the PEM-encoded certificate chain file
3814								// for the RFC3161 timestamp authority. Must
3815								// contain the root CA certificate. Optionally may contain
3816								// intermediate CA certificates, and
3817								// may contain the leaf TSA certificate if not present in the
3818								// timestamurce.
3819								"tsaCertChain"?: string
3820							}
3821
3822							// Issuer is the certificate issuer used for keyless signing.
3823							"issuer"?: string
3824
3825							// IssuerRegExp is the regular expression to match certificate
3826							// issuer used for keyless signing.
3827							"issuerRegExp"?: string
3828
3829							// Rekor provides configuration for the Rekor transparency log
3830							// service. If an empty object
3831							// is provided the public instance of Rekor
3832							// (https://rekor.sigstore.dev) is used.
3833							"rekor"?: {
3834								// IgnoreTlog skips transparency log verification.
3835								"ignoreTlog"?: bool
3836
3837								// RekorPubKey is an optional PEM-encoded public key to use for a
3838								// custom Rekor.
3839								// If set, this will be used to validate transparency log
3840								// signatures from a custom Rekor.
3841								"pubkey"?: string
3842
3843								// URL is the address of the transparency log. Defaults to the
3844								// public Rekor log instance https://rekor.sigstore.dev.
3845								"url"?: string
3846							}
3847
3848							// Roots is an optional set of PEM encoded trusted root
3849							// certificates.
3850							// If not provided, the system roots are used.
3851							"roots"?: string
3852
3853							// Subject is the verified identity used for keyless signing, for
3854							// example the email address.
3855							"subject"?: string
3856
3857							// SubjectRegExp is the regular expression to match identity used
3858							// for keyless signing, for example the email address.
3859							"subjectRegExp"?: string
3860						}
3861
3862						// Keys specifies one or more public keys.
3863						"keys"?: {
3864							// CTLog (certificate timestamp log) provides a configuration for
3865							// validation of Signed Certificate
3866							// Timestamps (SCTs). If the value is unset, the default behavior
3867							// by Cosign is used.
3868							"ctlog"?: {
3869								// IgnoreSCT defines whether to use the Signed Certificate
3870								// Timestamp (SCT) log to check for a certificate
3871								// timestamp. Default is false. Set to true if this was opted out
3872								// during signing.
3873								"ignoreSCT"?: bool
3874
3875								// PubKey, if set, is used to validate SCTs against a custom
3876								// source.
3877								"pubkey"?: string
3878
3879								// TSACertChain, if set, is the PEM-encoded certificate chain file
3880								// for the RFC3161 timestamp authority. Must
3881								// contain the root CA certificate. Optionally may contain
3882								// intermediate CA certificates, and
3883								// may contain the leaf TSA certificate if not present in the
3884								// timestamurce.
3885								"tsaCertChain"?: string
3886							}
3887
3888							// KMS provides the URI to the public key stored in a Key
3889							// Management System. See:
3890							// https://github.com/sigstore/cosign/blob/main/KMS.md
3891							"kms"?: string
3892
3893							// Keys is a set of X.509 public keys used to verify image
3894							// signatures. The keys can be directly
3895							// specified or can be a variable reference to a key specified in
3896							// a ConfigMap (see
3897							// https://kyverno.io/docs/writing-policies/variables/), or
3898							// reference a standard Kubernetes Secret
3899							// elsewhere in the cluster by specifying it in the format
3900							// "k8s://<namespace>/<secret_name>".
3901							// The named Secret must specify a key `cosign.pub` containing the
3902							// public key used for
3903							// verification, (see
3904							// https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
3905							// When multiple keys are specified each key is processed as a
3906							// separate staticKey entry
3907							// (.attestors[*].entries.keys) within the set of attestors and
3908							// the count is applied across the keys.
3909							"publicKeys"?: string
3910
3911							// Rekor provides configuration for the Rekor transparency log
3912							// service. If an empty object
3913							// is provided the public instance of Rekor
3914							// (https://rekor.sigstore.dev) is used.
3915							"rekor"?: {
3916								// IgnoreTlog skips transparency log verification.
3917								"ignoreTlog"?: bool
3918
3919								// RekorPubKey is an optional PEM-encoded public key to use for a
3920								// custom Rekor.
3921								// If set, this will be used to validate transparency log
3922								// signatures from a custom Rekor.
3923								"pubkey"?: string
3924
3925								// URL is the address of the transparency log. Defaults to the
3926								// public Rekor log instance https://rekor.sigstore.dev.
3927								"url"?: string
3928							}
3929
3930							// Reference to a Secret resource that contains a public key
3931							"secret"?: {
3932								// Name of the secret. The provided secret must contain a key
3933								// named cosign.pub.
3934								"name"!: string
3935
3936								// Namespace name where the Secret exists.
3937								"namespace"!: string
3938							}
3939
3940							// Deprecated. Use attestor.signatureAlgorithm instead.
3941							"signatureAlgorithm"?: string
3942						}
3943
3944						// Repository is an optional alternate OCI repository to use for
3945						// signatures and attestations that match this rule.
3946						// If specified Repository will override other OCI image
3947						// repository locations for this Attestor.
3948						"repository"?: string
3949
3950						// Specify signature algorithm for public keys. Supported values
3951						// are sha224, sha256, sha384 and sha512.
3952						"signatureAlgorithm"?: string
3953					}]
3954				}]
3955
3956				// CosignOCI11 enables the experimental OCI 1.1 behaviour in
3957				// cosign image verification.
3958				// Defaults to false.
3959				"cosignOCI11"?: bool
3960
3961				// Allowed values are Audit or Enforce.
3962				"failureAction"?: "Audit" | "Enforce"
3963
3964				// Deprecated. Use ImageReferences instead.
3965				"image"?: string
3966
3967				// ImageReferences is a list of matching image reference patterns.
3968				// At least one pattern in the
3969				// list must match the image for the rule to apply. Each image
3970				// reference consists of a registry
3971				// address (defaults to docker.io), repository, image, and tag
3972				// (defaults to latest).
3973				// Wildcards ('*' and '?') are allowed. See:
3974				// https://kubernetes.io/docs/concepts/containers/images.
3975				"imageReferences"?: [...string]
3976
3977				// ImageRegistryCredentials provides credentials that will be used
3978				// for authentication with registry.
3979				"imageRegistryCredentials"?: {
3980					// AllowInsecureRegistry allows insecure access to a registry.
3981					"allowInsecureRegistry"?: bool
3982
3983					// Providers specifies a list of OCI Registry names, whose
3984					// authentication providers are provided.
3985					// It can be of one of these values:
3986					// default,google,azure,amazon,github.
3987					"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
3988
3989					// Secrets specifies a list of secrets that are provided for
3990					// credentials.
3991					// Secrets must live in the Kyverno namespace.
3992					"secrets"?: [...string]
3993				}
3994
3995				// Deprecated. Use KeylessAttestor instead.
3996				"issuer"?: string
3997
3998				// Deprecated. Use StaticKeyAttestor instead.
3999				"key"?: string
4000
4001				// MutateDigest enables replacement of image tags with digests.
4002				// Defaults to true.
4003				"mutateDigest"?: bool
4004
4005				// Repository is an optional alternate OCI repository to use for
4006				// image signatures and attestations that match this rule.
4007				// If specified Repository will override the default OCI image
4008				// repository configured for the installation.
4009				// The repository can also be overridden per Attestor or
4010				// Attestation.
4011				"repository"?: string
4012
4013				// Required validates that images are verified i.e. have matched
4014				// passed a signature or attestation check.
4015				"required"?: bool
4016
4017				// Deprecated. Use KeylessAttestor instead.
4018				"roots"?: string
4019
4020				// SkipImageReferences is a list of matching image reference
4021				// patterns that should be skipped.
4022				// At least one pattern in the list must match the image for the
4023				// rule to be skipped. Each image reference
4024				// consists of a registry address (defaults to docker.io),
4025				// repository, image, and tag (defaults to latest).
4026				// Wildcards ('*' and '?') are allowed. See:
4027				// https://kubernetes.io/docs/concepts/containers/images.
4028				"skipImageReferences"?: [...string]
4029
4030				// Deprecated. Use KeylessAttestor instead.
4031				"subject"?: string
4032
4033				// Type specifies the method of signature validation. The allowed
4034				// options
4035				// are Cosign, Sigstore Bundle and Notary. By default Cosign is
4036				// used if a type is not specified.
4037				"type"?: "Cosign" | "SigstoreBundle" | "Notary"
4038
4039				// UseCache enables caching of image verify responses for this
4040				// rule.
4041				"useCache"?: bool
4042
4043				// Validation checks conditions across multiple image
4044				// verification attestations or context entries
4045				"validate"?: {
4046					// Deny defines conditions used to pass or fail a validation rule.
4047					"deny"?: {
4048						// Multiple conditions can be declared under an `any` or `all`
4049						// statement. A direct list
4050						// of conditions (without `any` or `all` statements) is also
4051						// supported for backwards compatibility
4052						// but will be deprecated in the next major release.
4053						// See:
4054						// https://kyverno.io/docs/writing-policies/validate/#deny-rules
4055						"conditions"?: null | bool | number | string | [...] | {
4056							...
4057						}
4058					}
4059
4060					// Message specifies a custom message to be displayed on failure.
4061					"message"?: string
4062				}
4063
4064				// VerifyDigest validates that images have a digest.
4065				"verifyDigest"?: bool
4066			}]
4067		}]
4068
4069		// Deprecated.
4070		"schemaValidation"?: bool
4071
4072		// UseServerSideApply controls whether to use server-side apply
4073		// for generate rules
4074		// If is set to "true" create & update for generate rules will use
4075		// apply instead of create/update.
4076		// Defaults to "false" if not specified.
4077		"useServerSideApply"?: bool
4078
4079		// Deprecated, use validationFailureAction under the validate rule
4080		// instead.
4081		"validationFailureAction"?: "audit" | "enforce" | "Audit" | "Enforce"
4082
4083		// Deprecated, use validationFailureActionOverrides under the
4084		// validate rule instead.
4085		"validationFailureActionOverrides"?: [...{
4086			// ValidationFailureAction defines the policy validation failure
4087			// action
4088			"action"?: "audit" | "enforce" | "Audit" | "Enforce"
4089
4090			// A label selector is a label query over a set of resources. The
4091			// result of matchLabels and
4092			// matchExpressions are ANDed. An empty label selector matches all
4093			// objects. A null
4094			// label selector matches no objects.
4095			"namespaceSelector"?: {
4096				// matchExpressions is a list of label selector requirements. The
4097				// requirements are ANDed.
4098				"matchExpressions"?: [...{
4099					// key is the label key that the selector applies to.
4100					"key"!: string
4101
4102					// operator represents a key's relationship to a set of values.
4103					// Valid operators are In, NotIn, Exists and DoesNotExist.
4104					"operator"!: string
4105
4106					// values is an array of string values. If the operator is In or
4107					// NotIn,
4108					// the values array must be non-empty. If the operator is Exists
4109					// or DoesNotExist,
4110					// the values array must be empty. This array is replaced during a
4111					// strategic
4112					// merge patch.
4113					"values"?: [...string]
4114				}]
4115
4116				// matchLabels is a map of {key,value} pairs. A single {key,value}
4117				// in the matchLabels
4118				// map is equivalent to an element of matchExpressions, whose key
4119				// field is "key", the
4120				// operator is "In", and the values array contains only "value".
4121				// The requirements are ANDed.
4122				"matchLabels"?: {
4123					[string]: string
4124				}
4125			}
4126			"namespaces"?: [...string]
4127		}]
4128
4129		// WebhookConfiguration specifies the custom configuration for
4130		// Kubernetes admission webhookconfiguration.
4131		"webhookConfiguration"?: {
4132			// FailurePolicy defines how unexpected policy errors and webhook
4133			// response timeout errors are handled.
4134			// Rules within the same policy share the same failure behavior.
4135			// This field should not be accessed directly, instead
4136			// `GetFailurePolicy()` should be used.
4137			// Allowed values are Ignore or Fail. Defaults to Fail.
4138			"failurePolicy"?: "Ignore" | "Fail"
4139
4140			// MatchCondition configures admission webhook matchConditions.
4141			// Requires Kubernetes 1.27 or later.
4142			"matchConditions"?: [...{
4143				// Expression represents the expression which will be evaluated by
4144				// CEL. Must evaluate to bool.
4145				// CEL expressions have access to the contents of the
4146				// AdmissionRequest and Authorizer, organized into CEL variables:
4147				//
4148				// 'object' - The object from the incoming request. The value is
4149				// null for DELETE requests.
4150				// 'oldObject' - The existing object. The value is null for CREATE
4151				// requests.
4152				// 'request' - Attributes of the admission
4153				// request(/pkg/apis/admission/types.go#AdmissionRequest).
4154				// 'authorizer' - A CEL Authorizer. May be used to perform
4155				// authorization checks for the principal (user or service
4156				// account) of the request.
4157				// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
4158				// 'authorizer.requestResource' - A CEL ResourceCheck constructed
4159				// from the 'authorizer' and configured with the
4160				// request resource.
4161				// Documentation on CEL:
4162				// https://kubernetes.io/docs/reference/using-api/cel/
4163				//
4164				// Required.
4165				"expression"!: string
4166
4167				// Name is an identifier for this match condition, used for
4168				// strategic merging of MatchConditions,
4169				// as well as providing an identifier for logging purposes. A good
4170				// name should be descriptive of
4171				// the associated expression.
4172				// Name must be a qualified name consisting of alphanumeric
4173				// characters, '-', '_' or '.', and
4174				// must start and end with an alphanumeric character (e.g.
4175				// 'MyName', or 'my.name', or
4176				// '123-abc', regex used for validation is
4177				// '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
4178				// optional DNS subdomain prefix and '/' (e.g.
4179				// 'example.com/MyName')
4180				//
4181				// Required.
4182				"name"!: string
4183			}]
4184
4185			// TimeoutSeconds specifies the maximum time in seconds allowed to
4186			// apply this policy.
4187			// After the configured time expires, the admission request may
4188			// fail, or may simply ignore the policy results,
4189			// based on the failure policy. The default timeout is 10s, the
4190			// value must be between 1 and 30 seconds.
4191			"timeoutSeconds"?: int32 & int
4192		}
4193
4194		// Deprecated, use webhookTimeoutSeconds under
4195		// webhookConfiguration instead.
4196		"webhookTimeoutSeconds"?: int32 & int
4197	}
4198
4199	// Status contains policy runtime data.
4200	"status"?: {
4201		// AutogenStatus contains autogen status information.
4202		"autogen"?: {
4203			// Rules is a list of Rule instances. It contains auto generated
4204			// rules added for pod controllers
4205			"rules"?: [...{
4206				// CELPreconditions are used to determine if a policy rule should
4207				// be applied by evaluating a
4208				// set of CEL conditions. It can only be used with the
4209				// validate.cel subrule
4210				"celPreconditions"?: [...{
4211					// Expression represents the expression which will be evaluated by
4212					// CEL. Must evaluate to bool.
4213					// CEL expressions have access to the contents of the
4214					// AdmissionRequest and Authorizer, organized into CEL variables:
4215					//
4216					// 'object' - The object from the incoming request. The value is
4217					// null for DELETE requests.
4218					// 'oldObject' - The existing object. The value is null for CREATE
4219					// requests.
4220					// 'request' - Attributes of the admission
4221					// request(/pkg/apis/admission/types.go#AdmissionRequest).
4222					// 'authorizer' - A CEL Authorizer. May be used to perform
4223					// authorization checks for the principal (user or service
4224					// account) of the request.
4225					// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
4226					// 'authorizer.requestResource' - A CEL ResourceCheck constructed
4227					// from the 'authorizer' and configured with the
4228					// request resource.
4229					// Documentation on CEL:
4230					// https://kubernetes.io/docs/reference/using-api/cel/
4231					//
4232					// Required.
4233					"expression"!: string
4234
4235					// Name is an identifier for this match condition, used for
4236					// strategic merging of MatchConditions,
4237					// as well as providing an identifier for logging purposes. A good
4238					// name should be descriptive of
4239					// the associated expression.
4240					// Name must be a qualified name consisting of alphanumeric
4241					// characters, '-', '_' or '.', and
4242					// must start and end with an alphanumeric character (e.g.
4243					// 'MyName', or 'my.name', or
4244					// '123-abc', regex used for validation is
4245					// '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
4246					// optional DNS subdomain prefix and '/' (e.g.
4247					// 'example.com/MyName')
4248					//
4249					// Required.
4250					"name"!: string
4251				}]
4252
4253				// Context defines variables and data sources that can be used
4254				// during rule execution.
4255				"context"?: [...matchN(1, [{
4256					"configMap"!: _
4257				}, {
4258					"apiCall"!: _
4259				}, {
4260					"imageRegistry"!: _
4261				}, {
4262					"variable"!: _
4263				}, {
4264					"globalReference"!: _
4265				}]) & {
4266					// APICall is an HTTP request to the Kubernetes API server, or
4267					// other JSON web service.
4268					// The data returned is stored in the context with the name for
4269					// the context entry.
4270					"apiCall"?: {
4271						// The data object specifies the POST data sent to the server.
4272						// Only applicable when the method field is set to POST.
4273						"data"?: [...{
4274							// Key is a unique identifier for the data value
4275							"key"!: string
4276
4277							// Value is the data value
4278							"value"!: null | bool | number | string | [...] | {
4279								...
4280							}
4281						}]
4282
4283						// Default is an optional arbitrary JSON object that the context
4284						// value is set to, if the apiCall returns error.
4285						"default"?: null | bool | number | string | [...] | {
4286							...
4287						}
4288
4289						// JMESPath is an optional JSON Match Expression that can be used
4290						// to
4291						// transform the JSON response returned from the server. For
4292						// example
4293						// a JMESPath of "items | length(@)" applied to the API server
4294						// response
4295						// for the URLPath "/apis/apps/v1/deployments" will return the
4296						// total count
4297						// of deployments across all namespaces.
4298						"jmesPath"?: string
4299
4300						// Method is the HTTP request type (GET or POST). Defaults to GET.
4301						"method"?: "GET" | "POST"
4302
4303						// Service is an API call to a JSON web service.
4304						// This is used for non-Kubernetes API server calls.
4305						// It's mutually exclusive with the URLPath field.
4306						"service"?: {
4307							// CABundle is a PEM encoded CA bundle which will be used to
4308							// validate
4309							// the server certificate.
4310							"caBundle"?: string
4311
4312							// Headers is a list of optional HTTP headers to be included in
4313							// the request.
4314							"headers"?: [...{
4315								// Key is the header key
4316								"key"!: string
4317
4318								// Value is the header value
4319								"value"!: string
4320							}]
4321
4322							// URL is the JSON web service URL. A typical form is
4323							// `https://{service}.{namespace}:{port}/{path}`.
4324							"url"!: string
4325						}
4326
4327						// URLPath is the URL path to be used in the HTTP GET or POST
4328						// request to the
4329						// Kubernetes API server (e.g. "/api/v1/namespaces" or
4330						// "/apis/apps/v1/deployments").
4331						// The format required is the same format used by the `kubectl get
4332						// --raw` command.
4333						// See
4334						// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
4335						// for details.
4336						// It's mutually exclusive with the Service field.
4337						"urlPath"?: string
4338					}
4339
4340					// ConfigMap is the ConfigMap reference.
4341					"configMap"?: {
4342						// Name is the ConfigMap name.
4343						"name"!: string
4344
4345						// Namespace is the ConfigMap namespace.
4346						"namespace"?: string
4347					}
4348
4349					// GlobalContextEntryReference is a reference to a cached global
4350					// context entry.
4351					"globalReference"?: {
4352						// JMESPath is an optional JSON Match Expression that can be used
4353						// to
4354						// transform the JSON response returned from the server. For
4355						// example
4356						// a JMESPath of "items | length(@)" applied to the API server
4357						// response
4358						// for the URLPath "/apis/apps/v1/deployments" will return the
4359						// total count
4360						// of deployments across all namespaces.
4361						"jmesPath"?: string
4362
4363						// Name of the global context entry
4364						"name"!: string
4365					}
4366
4367					// ImageRegistry defines requests to an OCI/Docker V2 registry to
4368					// fetch image
4369					// details.
4370					"imageRegistry"?: {
4371						// ImageRegistryCredentials provides credentials that will be used
4372						// for authentication with registry
4373						"imageRegistryCredentials"?: {
4374							// AllowInsecureRegistry allows insecure access to a registry.
4375							"allowInsecureRegistry"?: bool
4376
4377							// Providers specifies a list of OCI Registry names, whose
4378							// authentication providers are provided.
4379							// It can be of one of these values:
4380							// default,google,azure,amazon,github.
4381							"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
4382
4383							// Secrets specifies a list of secrets that are provided for
4384							// credentials.
4385							// Secrets must live in the Kyverno namespace.
4386							"secrets"?: [...string]
4387						}
4388
4389						// JMESPath is an optional JSON Match Expression that can be used
4390						// to
4391						// transform the ImageData struct returned as a result of
4392						// processing
4393						// the image reference.
4394						"jmesPath"?: string
4395
4396						// Reference is image reference to a container image in the
4397						// registry.
4398						// Example: ghcr.io/kyverno/kyverno:latest
4399						"reference"!: string
4400					}
4401
4402					// Name is the variable name.
4403					"name"!: string
4404
4405					// Variable defines an arbitrary JMESPath context variable that
4406					// can be defined inline.
4407					"variable"?: {
4408						// Default is an optional arbitrary JSON object that the variable
4409						// may take if the JMESPath
4410						// expression evaluates to nil
4411						"default"?: null | bool | number | string | [...] | {
4412							...
4413						}
4414
4415						// JMESPath is an optional JMESPath Expression that can be used to
4416						// transform the variable.
4417						"jmesPath"?: string
4418
4419						// Value is any arbitrary JSON object representable in YAML or
4420						// JSON form.
4421						"value"?: null | bool | number | string | [...] | {
4422							...
4423						}
4424					}
4425				}]
4426
4427				// ExcludeResources defines when this policy rule should not be
4428				// applied. The exclude
4429				// criteria can include resource information (e.g. kind, name,
4430				// namespace, labels)
4431				// and admission review request information like the name or role.
4432				"exclude"?: matchN(0, [null | bool | number | string | [...] | {
4433					"any"!: _
4434					"all"!: _
4435				}]) & {
4436					// All allows specifying resources which will be ANDed
4437					"all"?: [...{
4438						// ClusterRoles is the list of cluster-wide role names for the
4439						// user.
4440						"clusterRoles"?: [...string]
4441
4442						// ResourceDescription contains information about the resource
4443						// being created or modified.
4444						"resources"?: matchN(0, [null | bool | number | string | [...] | {
4445							"name"!:  _
4446							"names"!: _
4447						}]) & {
4448							// Annotations is a map of annotations (key-value pairs of type
4449							// string). Annotation keys
4450							// and values support the wildcard characters "*" (matches zero or
4451							// many characters) and
4452							// "?" (matches at least one character).
4453							"annotations"?: [string]: string
4454
4455							// Kinds is a list of resource kinds.
4456							"kinds"?: [...string]
4457
4458							// Name is the name of the resource. The name supports wildcard
4459							// characters
4460							// "*" (matches zero or many characters) and "?" (at least one
4461							// character).
4462							// NOTE: "Name" is being deprecated in favor of "Names".
4463							"name"?: string
4464
4465							// Names are the names of the resources. Each name supports
4466							// wildcard characters
4467							// "*" (matches zero or many characters) and "?" (at least one
4468							// character).
4469							"names"?: [...string]
4470
4471							// NamespaceSelector is a label selector for the resource
4472							// namespace. Label keys and values
4473							// in `matchLabels` support the wildcard characters `*` (matches
4474							// zero or many characters)
4475							// and `?` (matches one character).Wildcards allows writing label
4476							// selectors like
4477							// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
4478							// any key and value but
4479							// does not match an empty label set.
4480							"namespaceSelector"?: {
4481								// matchExpressions is a list of label selector requirements. The
4482								// requirements are ANDed.
4483								"matchExpressions"?: [...{
4484									// key is the label key that the selector applies to.
4485									"key"!: string
4486
4487									// operator represents a key's relationship to a set of values.
4488									// Valid operators are In, NotIn, Exists and DoesNotExist.
4489									"operator"!: string
4490
4491									// values is an array of string values. If the operator is In or
4492									// NotIn,
4493									// the values array must be non-empty. If the operator is Exists
4494									// or DoesNotExist,
4495									// the values array must be empty. This array is replaced during a
4496									// strategic
4497									// merge patch.
4498									"values"?: [...string]
4499								}]
4500
4501								// matchLabels is a map of {key,value} pairs. A single {key,value}
4502								// in the matchLabels
4503								// map is equivalent to an element of matchExpressions, whose key
4504								// field is "key", the
4505								// operator is "In", and the values array contains only "value".
4506								// The requirements are ANDed.
4507								"matchLabels"?: {
4508									[string]: string
4509								}
4510							}
4511
4512							// Namespaces is a list of namespaces names. Each name supports
4513							// wildcard characters
4514							// "*" (matches zero or many characters) and "?" (at least one
4515							// character).
4516							"namespaces"?: [...string]
4517
4518							// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
4519							// "DELETE"], which are used to match a specific action.
4520							"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
4521
4522							// Selector is a label selector. Label keys and values in
4523							// `matchLabels` support the wildcard
4524							// characters `*` (matches zero or many characters) and `?`
4525							// (matches one character).
4526							// Wildcards allows writing label selectors like
4527							// ["storage.k8s.io/*": "*"]. Note that
4528							// using ["*" : "*"] matches any key and value but does not match
4529							// an empty label set.
4530							"selector"?: {
4531								// matchExpressions is a list of label selector requirements. The
4532								// requirements are ANDed.
4533								"matchExpressions"?: [...{
4534									// key is the label key that the selector applies to.
4535									"key"!: string
4536
4537									// operator represents a key's relationship to a set of values.
4538									// Valid operators are In, NotIn, Exists and DoesNotExist.
4539									"operator"!: string
4540
4541									// values is an array of string values. If the operator is In or
4542									// NotIn,
4543									// the values array must be non-empty. If the operator is Exists
4544									// or DoesNotExist,
4545									// the values array must be empty. This array is replaced during a
4546									// strategic
4547									// merge patch.
4548									"values"?: [...string]
4549								}]
4550
4551								// matchLabels is a map of {key,value} pairs. A single {key,value}
4552								// in the matchLabels
4553								// map is equivalent to an element of matchExpressions, whose key
4554								// field is "key", the
4555								// operator is "In", and the values array contains only "value".
4556								// The requirements are ANDed.
4557								"matchLabels"?: {
4558									[string]: string
4559								}
4560							}
4561						}
4562
4563						// Roles is the list of namespaced role names for the user.
4564						"roles"?: [...string]
4565
4566						// Subjects is the list of subject names like users, user groups,
4567						// and service accounts.
4568						"subjects"?: [...{
4569							// APIGroup holds the API group of the referenced subject.
4570							// Defaults to "" for ServiceAccount subjects.
4571							// Defaults to "rbac.authorization.k8s.io" for User and Group
4572							// subjects.
4573							"apiGroup"?: string
4574
4575							// Kind of object being referenced. Values defined by this API
4576							// group are "User", "Group", and "ServiceAccount".
4577							// If the Authorizer does not recognized the kind value, the
4578							// Authorizer should report an error.
4579							"kind"!: string
4580
4581							// Name of the object being referenced.
4582							"name"!: string
4583
4584							// Namespace of the referenced object. If the object kind is
4585							// non-namespace, such as "User" or "Group", and this value is
4586							// not empty
4587							// the Authorizer should report an error.
4588							"namespace"?: string
4589						}]
4590					}]
4591
4592					// Any allows specifying resources which will be ORed
4593					"any"?: [...{
4594						// ClusterRoles is the list of cluster-wide role names for the
4595						// user.
4596						"clusterRoles"?: [...string]
4597
4598						// ResourceDescription contains information about the resource
4599						// being created or modified.
4600						"resources"?: matchN(0, [null | bool | number | string | [...] | {
4601							"name"!:  _
4602							"names"!: _
4603						}]) & {
4604							// Annotations is a map of annotations (key-value pairs of type
4605							// string). Annotation keys
4606							// and values support the wildcard characters "*" (matches zero or
4607							// many characters) and
4608							// "?" (matches at least one character).
4609							"annotations"?: [string]: string
4610
4611							// Kinds is a list of resource kinds.
4612							"kinds"?: [...string]
4613
4614							// Name is the name of the resource. The name supports wildcard
4615							// characters
4616							// "*" (matches zero or many characters) and "?" (at least one
4617							// character).
4618							// NOTE: "Name" is being deprecated in favor of "Names".
4619							"name"?: string
4620
4621							// Names are the names of the resources. Each name supports
4622							// wildcard characters
4623							// "*" (matches zero or many characters) and "?" (at least one
4624							// character).
4625							"names"?: [...string]
4626
4627							// NamespaceSelector is a label selector for the resource
4628							// namespace. Label keys and values
4629							// in `matchLabels` support the wildcard characters `*` (matches
4630							// zero or many characters)
4631							// and `?` (matches one character).Wildcards allows writing label
4632							// selectors like
4633							// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
4634							// any key and value but
4635							// does not match an empty label set.
4636							"namespaceSelector"?: {
4637								// matchExpressions is a list of label selector requirements. The
4638								// requirements are ANDed.
4639								"matchExpressions"?: [...{
4640									// key is the label key that the selector applies to.
4641									"key"!: string
4642
4643									// operator represents a key's relationship to a set of values.
4644									// Valid operators are In, NotIn, Exists and DoesNotExist.
4645									"operator"!: string
4646
4647									// values is an array of string values. If the operator is In or
4648									// NotIn,
4649									// the values array must be non-empty. If the operator is Exists
4650									// or DoesNotExist,
4651									// the values array must be empty. This array is replaced during a
4652									// strategic
4653									// merge patch.
4654									"values"?: [...string]
4655								}]
4656
4657								// matchLabels is a map of {key,value} pairs. A single {key,value}
4658								// in the matchLabels
4659								// map is equivalent to an element of matchExpressions, whose key
4660								// field is "key", the
4661								// operator is "In", and the values array contains only "value".
4662								// The requirements are ANDed.
4663								"matchLabels"?: {
4664									[string]: string
4665								}
4666							}
4667
4668							// Namespaces is a list of namespaces names. Each name supports
4669							// wildcard characters
4670							// "*" (matches zero or many characters) and "?" (at least one
4671							// character).
4672							"namespaces"?: [...string]
4673
4674							// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
4675							// "DELETE"], which are used to match a specific action.
4676							"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
4677
4678							// Selector is a label selector. Label keys and values in
4679							// `matchLabels` support the wildcard
4680							// characters `*` (matches zero or many characters) and `?`
4681							// (matches one character).
4682							// Wildcards allows writing label selectors like
4683							// ["storage.k8s.io/*": "*"]. Note that
4684							// using ["*" : "*"] matches any key and value but does not match
4685							// an empty label set.
4686							"selector"?: {
4687								// matchExpressions is a list of label selector requirements. The
4688								// requirements are ANDed.
4689								"matchExpressions"?: [...{
4690									// key is the label key that the selector applies to.
4691									"key"!: string
4692
4693									// operator represents a key's relationship to a set of values.
4694									// Valid operators are In, NotIn, Exists and DoesNotExist.
4695									"operator"!: string
4696
4697									// values is an array of string values. If the operator is In or
4698									// NotIn,
4699									// the values array must be non-empty. If the operator is Exists
4700									// or DoesNotExist,
4701									// the values array must be empty. This array is replaced during a
4702									// strategic
4703									// merge patch.
4704									"values"?: [...string]
4705								}]
4706
4707								// matchLabels is a map of {key,value} pairs. A single {key,value}
4708								// in the matchLabels
4709								// map is equivalent to an element of matchExpressions, whose key
4710								// field is "key", the
4711								// operator is "In", and the values array contains only "value".
4712								// The requirements are ANDed.
4713								"matchLabels"?: {
4714									[string]: string
4715								}
4716							}
4717						}
4718
4719						// Roles is the list of namespaced role names for the user.
4720						"roles"?: [...string]
4721
4722						// Subjects is the list of subject names like users, user groups,
4723						// and service accounts.
4724						"subjects"?: [...{
4725							// APIGroup holds the API group of the referenced subject.
4726							// Defaults to "" for ServiceAccount subjects.
4727							// Defaults to "rbac.authorization.k8s.io" for User and Group
4728							// subjects.
4729							"apiGroup"?: string
4730
4731							// Kind of object being referenced. Values defined by this API
4732							// group are "User", "Group", and "ServiceAccount".
4733							// If the Authorizer does not recognized the kind value, the
4734							// Authorizer should report an error.
4735							"kind"!: string
4736
4737							// Name of the object being referenced.
4738							"name"!: string
4739
4740							// Namespace of the referenced object. If the object kind is
4741							// non-namespace, such as "User" or "Group", and this value is
4742							// not empty
4743							// the Authorizer should report an error.
4744							"namespace"?: string
4745						}]
4746					}]
4747
4748					// ClusterRoles is the list of cluster-wide role names for the
4749					// user.
4750					"clusterRoles"?: [...string]
4751
4752					// ResourceDescription contains information about the resource
4753					// being created or modified.
4754					// Requires at least one tag to be specified when under
4755					// MatchResources.
4756					// Specifying ResourceDescription directly under match is being
4757					// deprecated.
4758					// Please specify under "any" or "all" instead.
4759					"resources"?: matchN(0, [null | bool | number | string | [...] | {
4760						"name"!:  _
4761						"names"!: _
4762					}]) & {
4763						// Annotations is a map of annotations (key-value pairs of type
4764						// string). Annotation keys
4765						// and values support the wildcard characters "*" (matches zero or
4766						// many characters) and
4767						// "?" (matches at least one character).
4768						"annotations"?: [string]: string
4769
4770						// Kinds is a list of resource kinds.
4771						"kinds"?: [...string]
4772
4773						// Name is the name of the resource. The name supports wildcard
4774						// characters
4775						// "*" (matches zero or many characters) and "?" (at least one
4776						// character).
4777						// NOTE: "Name" is being deprecated in favor of "Names".
4778						"name"?: string
4779
4780						// Names are the names of the resources. Each name supports
4781						// wildcard characters
4782						// "*" (matches zero or many characters) and "?" (at least one
4783						// character).
4784						"names"?: [...string]
4785
4786						// NamespaceSelector is a label selector for the resource
4787						// namespace. Label keys and values
4788						// in `matchLabels` support the wildcard characters `*` (matches
4789						// zero or many characters)
4790						// and `?` (matches one character).Wildcards allows writing label
4791						// selectors like
4792						// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
4793						// any key and value but
4794						// does not match an empty label set.
4795						"namespaceSelector"?: {
4796							// matchExpressions is a list of label selector requirements. The
4797							// requirements are ANDed.
4798							"matchExpressions"?: [...{
4799								// key is the label key that the selector applies to.
4800								"key"!: string
4801
4802								// operator represents a key's relationship to a set of values.
4803								// Valid operators are In, NotIn, Exists and DoesNotExist.
4804								"operator"!: string
4805
4806								// values is an array of string values. If the operator is In or
4807								// NotIn,
4808								// the values array must be non-empty. If the operator is Exists
4809								// or DoesNotExist,
4810								// the values array must be empty. This array is replaced during a
4811								// strategic
4812								// merge patch.
4813								"values"?: [...string]
4814							}]
4815
4816							// matchLabels is a map of {key,value} pairs. A single {key,value}
4817							// in the matchLabels
4818							// map is equivalent to an element of matchExpressions, whose key
4819							// field is "key", the
4820							// operator is "In", and the values array contains only "value".
4821							// The requirements are ANDed.
4822							"matchLabels"?: {
4823								[string]: string
4824							}
4825						}
4826
4827						// Namespaces is a list of namespaces names. Each name supports
4828						// wildcard characters
4829						// "*" (matches zero or many characters) and "?" (at least one
4830						// character).
4831						"namespaces"?: [...string]
4832
4833						// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
4834						// "DELETE"], which are used to match a specific action.
4835						"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
4836
4837						// Selector is a label selector. Label keys and values in
4838						// `matchLabels` support the wildcard
4839						// characters `*` (matches zero or many characters) and `?`
4840						// (matches one character).
4841						// Wildcards allows writing label selectors like
4842						// ["storage.k8s.io/*": "*"]. Note that
4843						// using ["*" : "*"] matches any key and value but does not match
4844						// an empty label set.
4845						"selector"?: {
4846							// matchExpressions is a list of label selector requirements. The
4847							// requirements are ANDed.
4848							"matchExpressions"?: [...{
4849								// key is the label key that the selector applies to.
4850								"key"!: string
4851
4852								// operator represents a key's relationship to a set of values.
4853								// Valid operators are In, NotIn, Exists and DoesNotExist.
4854								"operator"!: string
4855
4856								// values is an array of string values. If the operator is In or
4857								// NotIn,
4858								// the values array must be non-empty. If the operator is Exists
4859								// or DoesNotExist,
4860								// the values array must be empty. This array is replaced during a
4861								// strategic
4862								// merge patch.
4863								"values"?: [...string]
4864							}]
4865
4866							// matchLabels is a map of {key,value} pairs. A single {key,value}
4867							// in the matchLabels
4868							// map is equivalent to an element of matchExpressions, whose key
4869							// field is "key", the
4870							// operator is "In", and the values array contains only "value".
4871							// The requirements are ANDed.
4872							"matchLabels"?: {
4873								[string]: string
4874							}
4875						}
4876					}
4877
4878					// Roles is the list of namespaced role names for the user.
4879					"roles"?: [...string]
4880
4881					// Subjects is the list of subject names like users, user groups,
4882					// and service accounts.
4883					"subjects"?: [...{
4884						// APIGroup holds the API group of the referenced subject.
4885						// Defaults to "" for ServiceAccount subjects.
4886						// Defaults to "rbac.authorization.k8s.io" for User and Group
4887						// subjects.
4888						"apiGroup"?: string
4889
4890						// Kind of object being referenced. Values defined by this API
4891						// group are "User", "Group", and "ServiceAccount".
4892						// If the Authorizer does not recognized the kind value, the
4893						// Authorizer should report an error.
4894						"kind"!: string
4895
4896						// Name of the object being referenced.
4897						"name"!: string
4898
4899						// Namespace of the referenced object. If the object kind is
4900						// non-namespace, such as "User" or "Group", and this value is
4901						// not empty
4902						// the Authorizer should report an error.
4903						"namespace"?: string
4904					}]
4905				}
4906
4907				// Generation is used to create new resources.
4908				"generate"?: {
4909					// APIVersion specifies resource apiVersion.
4910					"apiVersion"?: string
4911
4912					// Clone specifies the source resource used to populate each
4913					// generated resource.
4914					// At most one of Data or Clone can be specified. If neither are
4915					// provided, the generated
4916					// resource will be created with default data only.
4917					"clone"?: {
4918						// Name specifies name of the resource.
4919						"name"?: string
4920
4921						// Namespace specifies source resource namespace.
4922						"namespace"?: string
4923					}
4924
4925					// CloneList specifies the list of source resource used to
4926					// populate each generated resource.
4927					"cloneList"?: {
4928						// Kinds is a list of resource kinds.
4929						"kinds"?: [...string]
4930
4931						// Namespace specifies source resource namespace.
4932						"namespace"?: string
4933
4934						// Selector is a label selector. Label keys and values in
4935						// `matchLabels`.
4936						// wildcard characters are not supported.
4937						"selector"?: {
4938							// matchExpressions is a list of label selector requirements. The
4939							// requirements are ANDed.
4940							"matchExpressions"?: [...{
4941								// key is the label key that the selector applies to.
4942								"key"!: string
4943
4944								// operator represents a key's relationship to a set of values.
4945								// Valid operators are In, NotIn, Exists and DoesNotExist.
4946								"operator"!: string
4947
4948								// values is an array of string values. If the operator is In or
4949								// NotIn,
4950								// the values array must be non-empty. If the operator is Exists
4951								// or DoesNotExist,
4952								// the values array must be empty. This array is replaced during a
4953								// strategic
4954								// merge patch.
4955								"values"?: [...string]
4956							}]
4957
4958							// matchLabels is a map of {key,value} pairs. A single {key,value}
4959							// in the matchLabels
4960							// map is equivalent to an element of matchExpressions, whose key
4961							// field is "key", the
4962							// operator is "In", and the values array contains only "value".
4963							// The requirements are ANDed.
4964							"matchLabels"?: {
4965								[string]: string
4966							}
4967						}
4968					}
4969
4970					// Data provides the resource declaration used to populate each
4971					// generated resource.
4972					// At most one of Data or Clone must be specified. If neither are
4973					// provided, the generated
4974					// resource will be created with default data only.
4975					"data"?: null | bool | number | string | [...] | {
4976						...
4977					}
4978
4979					// ForEach applies generate rules to a list of sub-elements by
4980					// creating a context for each entry in the list and looping over
4981					// it to apply the specified logic.
4982					"foreach"?: [...{
4983						// APIVersion specifies resource apiVersion.
4984						"apiVersion"?: string
4985
4986						// Clone specifies the source resource used to populate each
4987						// generated resource.
4988						// At most one of Data or Clone can be specified. If neither are
4989						// provided, the generated
4990						// resource will be created with default data only.
4991						"clone"?: {
4992							// Name specifies name of the resource.
4993							"name"?: string
4994
4995							// Namespace specifies source resource namespace.
4996							"namespace"?: string
4997						}
4998
4999						// CloneList specifies the list of source resource used to
5000						// populate each generated resource.
5001						"cloneList"?: {
5002							// Kinds is a list of resource kinds.
5003							"kinds"?: [...string]
5004
5005							// Namespace specifies source resource namespace.
5006							"namespace"?: string
5007
5008							// Selector is a label selector. Label keys and values in
5009							// `matchLabels`.
5010							// wildcard characters are not supported.
5011							"selector"?: {
5012								// matchExpressions is a list of label selector requirements. The
5013								// requirements are ANDed.
5014								"matchExpressions"?: [...{
5015									// key is the label key that the selector applies to.
5016									"key"!: string
5017
5018									// operator represents a key's relationship to a set of values.
5019									// Valid operators are In, NotIn, Exists and DoesNotExist.
5020									"operator"!: string
5021
5022									// values is an array of string values. If the operator is In or
5023									// NotIn,
5024									// the values array must be non-empty. If the operator is Exists
5025									// or DoesNotExist,
5026									// the values array must be empty. This array is replaced during a
5027									// strategic
5028									// merge patch.
5029									"values"?: [...string]
5030								}]
5031
5032								// matchLabels is a map of {key,value} pairs. A single {key,value}
5033								// in the matchLabels
5034								// map is equivalent to an element of matchExpressions, whose key
5035								// field is "key", the
5036								// operator is "In", and the values array contains only "value".
5037								// The requirements are ANDed.
5038								"matchLabels"?: {
5039									[string]: string
5040								}
5041							}
5042						}
5043
5044						// Context defines variables and data sources that can be used
5045						// during rule execution.
5046						"context"?: [...matchN(1, [{
5047							"configMap"!: _
5048						}, {
5049							"apiCall"!: _
5050						}, {
5051							"imageRegistry"!: _
5052						}, {
5053							"variable"!: _
5054						}, {
5055							"globalReference"!: _
5056						}]) & {
5057							// APICall is an HTTP request to the Kubernetes API server, or
5058							// other JSON web service.
5059							// The data returned is stored in the context with the name for
5060							// the context entry.
5061							"apiCall"?: {
5062								// The data object specifies the POST data sent to the server.
5063								// Only applicable when the method field is set to POST.
5064								"data"?: [...{
5065									// Key is a unique identifier for the data value
5066									"key"!: string
5067
5068									// Value is the data value
5069									"value"!: null | bool | number | string | [...] | {
5070										...
5071									}
5072								}]
5073
5074								// Default is an optional arbitrary JSON object that the context
5075								// value is set to, if the apiCall returns error.
5076								"default"?: null | bool | number | string | [...] | {
5077									...
5078								}
5079
5080								// JMESPath is an optional JSON Match Expression that can be used
5081								// to
5082								// transform the JSON response returned from the server. For
5083								// example
5084								// a JMESPath of "items | length(@)" applied to the API server
5085								// response
5086								// for the URLPath "/apis/apps/v1/deployments" will return the
5087								// total count
5088								// of deployments across all namespaces.
5089								"jmesPath"?: string
5090
5091								// Method is the HTTP request type (GET or POST). Defaults to GET.
5092								"method"?: "GET" | "POST"
5093
5094								// Service is an API call to a JSON web service.
5095								// This is used for non-Kubernetes API server calls.
5096								// It's mutually exclusive with the URLPath field.
5097								"service"?: {
5098									// CABundle is a PEM encoded CA bundle which will be used to
5099									// validate
5100									// the server certificate.
5101									"caBundle"?: string
5102
5103									// Headers is a list of optional HTTP headers to be included in
5104									// the request.
5105									"headers"?: [...{
5106										// Key is the header key
5107										"key"!: string
5108
5109										// Value is the header value
5110										"value"!: string
5111									}]
5112
5113									// URL is the JSON web service URL. A typical form is
5114									// `https://{service}.{namespace}:{port}/{path}`.
5115									"url"!: string
5116								}
5117
5118								// URLPath is the URL path to be used in the HTTP GET or POST
5119								// request to the
5120								// Kubernetes API server (e.g. "/api/v1/namespaces" or
5121								// "/apis/apps/v1/deployments").
5122								// The format required is the same format used by the `kubectl get
5123								// --raw` command.
5124								// See
5125								// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
5126								// for details.
5127								// It's mutually exclusive with the Service field.
5128								"urlPath"?: string
5129							}
5130
5131							// ConfigMap is the ConfigMap reference.
5132							"configMap"?: {
5133								// Name is the ConfigMap name.
5134								"name"!: string
5135
5136								// Namespace is the ConfigMap namespace.
5137								"namespace"?: string
5138							}
5139
5140							// GlobalContextEntryReference is a reference to a cached global
5141							// context entry.
5142							"globalReference"?: {
5143								// JMESPath is an optional JSON Match Expression that can be used
5144								// to
5145								// transform the JSON response returned from the server. For
5146								// example
5147								// a JMESPath of "items | length(@)" applied to the API server
5148								// response
5149								// for the URLPath "/apis/apps/v1/deployments" will return the
5150								// total count
5151								// of deployments across all namespaces.
5152								"jmesPath"?: string
5153
5154								// Name of the global context entry
5155								"name"!: string
5156							}
5157
5158							// ImageRegistry defines requests to an OCI/Docker V2 registry to
5159							// fetch image
5160							// details.
5161							"imageRegistry"?: {
5162								// ImageRegistryCredentials provides credentials that will be used
5163								// for authentication with registry
5164								"imageRegistryCredentials"?: {
5165									// AllowInsecureRegistry allows insecure access to a registry.
5166									"allowInsecureRegistry"?: bool
5167
5168									// Providers specifies a list of OCI Registry names, whose
5169									// authentication providers are provided.
5170									// It can be of one of these values:
5171									// default,google,azure,amazon,github.
5172									"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
5173
5174									// Secrets specifies a list of secrets that are provided for
5175									// credentials.
5176									// Secrets must live in the Kyverno namespace.
5177									"secrets"?: [...string]
5178								}
5179
5180								// JMESPath is an optional JSON Match Expression that can be used
5181								// to
5182								// transform the ImageData struct returned as a result of
5183								// processing
5184								// the image reference.
5185								"jmesPath"?: string
5186
5187								// Reference is image reference to a container image in the
5188								// registry.
5189								// Example: ghcr.io/kyverno/kyverno:latest
5190								"reference"!: string
5191							}
5192
5193							// Name is the variable name.
5194							"name"!: string
5195
5196							// Variable defines an arbitrary JMESPath context variable that
5197							// can be defined inline.
5198							"variable"?: {
5199								// Default is an optional arbitrary JSON object that the variable
5200								// may take if the JMESPath
5201								// expression evaluates to nil
5202								"default"?: null | bool | number | string | [...] | {
5203									...
5204								}
5205
5206								// JMESPath is an optional JMESPath Expression that can be used to
5207								// transform the variable.
5208								"jmesPath"?: string
5209
5210								// Value is any arbitrary JSON object representable in YAML or
5211								// JSON form.
5212								"value"?: null | bool | number | string | [...] | {
5213									...
5214								}
5215							}
5216						}]
5217
5218						// Data provides the resource declaration used to populate each
5219						// generated resource.
5220						// At most one of Data or Clone must be specified. If neither are
5221						// provided, the generated
5222						// resource will be created with default data only.
5223						"data"?: null | bool | number | string | [...] | {
5224							...
5225						}
5226
5227						// Kind specifies resource kind.
5228						"kind"?: string
5229
5230						// List specifies a JMESPath expression that results in one or
5231						// more elements
5232						// to which the validation logic is applied.
5233						"list"?: string
5234
5235						// Name specifies the resource name.
5236						"name"?: string
5237
5238						// Namespace specifies resource namespace.
5239						"namespace"?: string
5240
5241						// AnyAllConditions are used to determine if a policy rule should
5242						// be applied by evaluating a
5243						// set of conditions. The declaration can contain nested `any` or
5244						// `all` statements.
5245						// See: https://kyverno.io/docs/writing-policies/preconditions/
5246						"preconditions"?: {
5247							// AllConditions enable variable-based conditional rule execution.
5248							// This is useful for
5249							// finer control of when an rule is applied. A condition can
5250							// reference object data
5251							// using JMESPath notation.
5252							// Here, all of the conditions need to pass
5253							"all"?: [...{
5254								// Key is the context entry (using JMESPath) for conditional rule
5255								// evaluation.
5256								"key"?: null | bool | number | string | [...] | {
5257									...
5258								}
5259
5260								// Message is an optional display message
5261								"message"?: string
5262
5263								// Operator is the conditional operation to perform. Valid
5264								// operators are:
5265								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
5266								// GreaterThanOrEquals,
5267								// GreaterThan, LessThanOrEquals, LessThan,
5268								// DurationGreaterThanOrEquals, DurationGreaterThan,
5269								// DurationLessThanOrEquals, DurationLessThan
5270								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
5271
5272								// Value is the conditional value, or set of values. The values
5273								// can be fixed set
5274								// or can be variables declared using JMESPath.
5275								"value"?: null | bool | number | string | [...] | {
5276									...
5277								}
5278							}]
5279
5280							// AnyConditions enable variable-based conditional rule execution.
5281							// This is useful for
5282							// finer control of when an rule is applied. A condition can
5283							// reference object data
5284							// using JMESPath notation.
5285							// Here, at least one of the conditions need to pass
5286							"any"?: [...{
5287								// Key is the context entry (using JMESPath) for conditional rule
5288								// evaluation.
5289								"key"?: null | bool | number | string | [...] | {
5290									...
5291								}
5292
5293								// Message is an optional display message
5294								"message"?: string
5295
5296								// Operator is the conditional operation to perform. Valid
5297								// operators are:
5298								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
5299								// GreaterThanOrEquals,
5300								// GreaterThan, LessThanOrEquals, LessThan,
5301								// DurationGreaterThanOrEquals, DurationGreaterThan,
5302								// DurationLessThanOrEquals, DurationLessThan
5303								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
5304
5305								// Value is the conditional value, or set of values. The values
5306								// can be fixed set
5307								// or can be variables declared using JMESPath.
5308								"value"?: null | bool | number | string | [...] | {
5309									...
5310								}
5311							}]
5312							...
5313						}
5314
5315						// UID specifies the resource uid.
5316						"uid"?: string
5317					}]
5318
5319					// GenerateExisting controls whether to trigger the rule in
5320					// existing resources
5321					// If is set to "true" the rule will be triggered and applied to
5322					// existing matched resources.
5323					"generateExisting"?: bool
5324
5325					// Kind specifies resource kind.
5326					"kind"?: string
5327
5328					// Name specifies the resource name.
5329					"name"?: string
5330
5331					// Namespace specifies resource namespace.
5332					"namespace"?: string
5333
5334					// OrphanDownstreamOnPolicyDelete controls whether generated
5335					// resources should be deleted when the rule that generated
5336					// them is deleted with synchronization enabled. This option is
5337					// only applicable to generate rules of the data type.
5338					// See
5339					// https://kyverno.io/docs/writing-policies/generate/#data-examples.
5340					// Defaults to "false" if not specified.
5341					"orphanDownstreamOnPolicyDelete"?: bool
5342
5343					// Synchronize controls if generated resources should be kept
5344					// in-sync with their source resource.
5345					// If Synchronize is set to "true" changes to generated resources
5346					// will be overwritten with resource
5347					// data from Data or the resource specified in the Clone
5348					// declaration.
5349					// Optional. Defaults to "false" if not specified.
5350					"synchronize"?: bool
5351
5352					// UID specifies the resource uid.
5353					"uid"?: string
5354				}
5355
5356				// ImageExtractors defines a mapping from kinds to
5357				// ImageExtractorConfigs.
5358				// This config is only valid for verifyImages rules.
5359				"imageExtractors"?: {
5360					[string]: [...{
5361						// JMESPath is an optional JMESPath expression to apply to the
5362						// image value.
5363						// This is useful when the extracted image begins with a prefix
5364						// like 'docker://'.
5365						// The 'trim_prefix' function may be used to trim the prefix:
5366						// trim_prefix(@, 'docker://').
5367						// Note - Image digest mutation may not be used when applying a
5368						// JMESPAth to an image.
5369						"jmesPath"?: string
5370
5371						// Key is an optional name of the field within 'path' that will be
5372						// used to uniquely identify an image.
5373						// Note - this field MUST be unique.
5374						"key"?: string
5375
5376						// Name is the entry the image will be available under
5377						// 'images.<name>' in the context.
5378						// If this field is not defined, image entries will appear under
5379						// 'images.custom'.
5380						"name"?: string
5381
5382						// Path is the path to the object containing the image field in a
5383						// custom resource.
5384						// It should be slash-separated. Each slash-separated key must be
5385						// a valid YAML key or a wildcard '*'.
5386						// Wildcard keys are expanded in case of arrays or objects.
5387						"path"!: string
5388
5389						// Value is an optional name of the field within 'path' that
5390						// points to the image URI.
5391						// This is useful when a custom 'key' is also defined.
5392						"value"?: string
5393					}]
5394				}
5395
5396				// MatchResources defines when this policy rule should be applied.
5397				// The match
5398				// criteria can include resource information (e.g. kind, name,
5399				// namespace, labels)
5400				// and admission review request information like the user name or
5401				// role.
5402				// At least one kind is required.
5403				"match"!: matchN(0, [null | bool | number | string | [...] | {
5404					"any"!: _
5405					"all"!: _
5406				}]) & {
5407					// All allows specifying resources which will be ANDed
5408					"all"?: [...{
5409						// ClusterRoles is the list of cluster-wide role names for the
5410						// user.
5411						"clusterRoles"?: [...string]
5412
5413						// ResourceDescription contains information about the resource
5414						// being created or modified.
5415						"resources"?: matchN(0, [null | bool | number | string | [...] | {
5416							"name"!:  _
5417							"names"!: _
5418						}]) & {
5419							// Annotations is a map of annotations (key-value pairs of type
5420							// string). Annotation keys
5421							// and values support the wildcard characters "*" (matches zero or
5422							// many characters) and
5423							// "?" (matches at least one character).
5424							"annotations"?: [string]: string
5425
5426							// Kinds is a list of resource kinds.
5427							"kinds"?: [...string]
5428
5429							// Name is the name of the resource. The name supports wildcard
5430							// characters
5431							// "*" (matches zero or many characters) and "?" (at least one
5432							// character).
5433							// NOTE: "Name" is being deprecated in favor of "Names".
5434							"name"?: string
5435
5436							// Names are the names of the resources. Each name supports
5437							// wildcard characters
5438							// "*" (matches zero or many characters) and "?" (at least one
5439							// character).
5440							"names"?: [...string]
5441
5442							// NamespaceSelector is a label selector for the resource
5443							// namespace. Label keys and values
5444							// in `matchLabels` support the wildcard characters `*` (matches
5445							// zero or many characters)
5446							// and `?` (matches one character).Wildcards allows writing label
5447							// selectors like
5448							// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
5449							// any key and value but
5450							// does not match an empty label set.
5451							"namespaceSelector"?: {
5452								// matchExpressions is a list of label selector requirements. The
5453								// requirements are ANDed.
5454								"matchExpressions"?: [...{
5455									// key is the label key that the selector applies to.
5456									"key"!: string
5457
5458									// operator represents a key's relationship to a set of values.
5459									// Valid operators are In, NotIn, Exists and DoesNotExist.
5460									"operator"!: string
5461
5462									// values is an array of string values. If the operator is In or
5463									// NotIn,
5464									// the values array must be non-empty. If the operator is Exists
5465									// or DoesNotExist,
5466									// the values array must be empty. This array is replaced during a
5467									// strategic
5468									// merge patch.
5469									"values"?: [...string]
5470								}]
5471
5472								// matchLabels is a map of {key,value} pairs. A single {key,value}
5473								// in the matchLabels
5474								// map is equivalent to an element of matchExpressions, whose key
5475								// field is "key", the
5476								// operator is "In", and the values array contains only "value".
5477								// The requirements are ANDed.
5478								"matchLabels"?: {
5479									[string]: string
5480								}
5481							}
5482
5483							// Namespaces is a list of namespaces names. Each name supports
5484							// wildcard characters
5485							// "*" (matches zero or many characters) and "?" (at least one
5486							// character).
5487							"namespaces"?: [...string]
5488
5489							// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
5490							// "DELETE"], which are used to match a specific action.
5491							"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
5492
5493							// Selector is a label selector. Label keys and values in
5494							// `matchLabels` support the wildcard
5495							// characters `*` (matches zero or many characters) and `?`
5496							// (matches one character).
5497							// Wildcards allows writing label selectors like
5498							// ["storage.k8s.io/*": "*"]. Note that
5499							// using ["*" : "*"] matches any key and value but does not match
5500							// an empty label set.
5501							"selector"?: {
5502								// matchExpressions is a list of label selector requirements. The
5503								// requirements are ANDed.
5504								"matchExpressions"?: [...{
5505									// key is the label key that the selector applies to.
5506									"key"!: string
5507
5508									// operator represents a key's relationship to a set of values.
5509									// Valid operators are In, NotIn, Exists and DoesNotExist.
5510									"operator"!: string
5511
5512									// values is an array of string values. If the operator is In or
5513									// NotIn,
5514									// the values array must be non-empty. If the operator is Exists
5515									// or DoesNotExist,
5516									// the values array must be empty. This array is replaced during a
5517									// strategic
5518									// merge patch.
5519									"values"?: [...string]
5520								}]
5521
5522								// matchLabels is a map of {key,value} pairs. A single {key,value}
5523								// in the matchLabels
5524								// map is equivalent to an element of matchExpressions, whose key
5525								// field is "key", the
5526								// operator is "In", and the values array contains only "value".
5527								// The requirements are ANDed.
5528								"matchLabels"?: {
5529									[string]: string
5530								}
5531							}
5532						}
5533
5534						// Roles is the list of namespaced role names for the user.
5535						"roles"?: [...string]
5536
5537						// Subjects is the list of subject names like users, user groups,
5538						// and service accounts.
5539						"subjects"?: [...{
5540							// APIGroup holds the API group of the referenced subject.
5541							// Defaults to "" for ServiceAccount subjects.
5542							// Defaults to "rbac.authorization.k8s.io" for User and Group
5543							// subjects.
5544							"apiGroup"?: string
5545
5546							// Kind of object being referenced. Values defined by this API
5547							// group are "User", "Group", and "ServiceAccount".
5548							// If the Authorizer does not recognized the kind value, the
5549							// Authorizer should report an error.
5550							"kind"!: string
5551
5552							// Name of the object being referenced.
5553							"name"!: string
5554
5555							// Namespace of the referenced object. If the object kind is
5556							// non-namespace, such as "User" or "Group", and this value is
5557							// not empty
5558							// the Authorizer should report an error.
5559							"namespace"?: string
5560						}]
5561					}]
5562
5563					// Any allows specifying resources which will be ORed
5564					"any"?: [...{
5565						// ClusterRoles is the list of cluster-wide role names for the
5566						// user.
5567						"clusterRoles"?: [...string]
5568
5569						// ResourceDescription contains information about the resource
5570						// being created or modified.
5571						"resources"?: matchN(0, [null | bool | number | string | [...] | {
5572							"name"!:  _
5573							"names"!: _
5574						}]) & {
5575							// Annotations is a map of annotations (key-value pairs of type
5576							// string). Annotation keys
5577							// and values support the wildcard characters "*" (matches zero or
5578							// many characters) and
5579							// "?" (matches at least one character).
5580							"annotations"?: [string]: string
5581
5582							// Kinds is a list of resource kinds.
5583							"kinds"?: [...string]
5584
5585							// Name is the name of the resource. The name supports wildcard
5586							// characters
5587							// "*" (matches zero or many characters) and "?" (at least one
5588							// character).
5589							// NOTE: "Name" is being deprecated in favor of "Names".
5590							"name"?: string
5591
5592							// Names are the names of the resources. Each name supports
5593							// wildcard characters
5594							// "*" (matches zero or many characters) and "?" (at least one
5595							// character).
5596							"names"?: [...string]
5597
5598							// NamespaceSelector is a label selector for the resource
5599							// namespace. Label keys and values
5600							// in `matchLabels` support the wildcard characters `*` (matches
5601							// zero or many characters)
5602							// and `?` (matches one character).Wildcards allows writing label
5603							// selectors like
5604							// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
5605							// any key and value but
5606							// does not match an empty label set.
5607							"namespaceSelector"?: {
5608								// matchExpressions is a list of label selector requirements. The
5609								// requirements are ANDed.
5610								"matchExpressions"?: [...{
5611									// key is the label key that the selector applies to.
5612									"key"!: string
5613
5614									// operator represents a key's relationship to a set of values.
5615									// Valid operators are In, NotIn, Exists and DoesNotExist.
5616									"operator"!: string
5617
5618									// values is an array of string values. If the operator is In or
5619									// NotIn,
5620									// the values array must be non-empty. If the operator is Exists
5621									// or DoesNotExist,
5622									// the values array must be empty. This array is replaced during a
5623									// strategic
5624									// merge patch.
5625									"values"?: [...string]
5626								}]
5627
5628								// matchLabels is a map of {key,value} pairs. A single {key,value}
5629								// in the matchLabels
5630								// map is equivalent to an element of matchExpressions, whose key
5631								// field is "key", the
5632								// operator is "In", and the values array contains only "value".
5633								// The requirements are ANDed.
5634								"matchLabels"?: {
5635									[string]: string
5636								}
5637							}
5638
5639							// Namespaces is a list of namespaces names. Each name supports
5640							// wildcard characters
5641							// "*" (matches zero or many characters) and "?" (at least one
5642							// character).
5643							"namespaces"?: [...string]
5644
5645							// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
5646							// "DELETE"], which are used to match a specific action.
5647							"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
5648
5649							// Selector is a label selector. Label keys and values in
5650							// `matchLabels` support the wildcard
5651							// characters `*` (matches zero or many characters) and `?`
5652							// (matches one character).
5653							// Wildcards allows writing label selectors like
5654							// ["storage.k8s.io/*": "*"]. Note that
5655							// using ["*" : "*"] matches any key and value but does not match
5656							// an empty label set.
5657							"selector"?: {
5658								// matchExpressions is a list of label selector requirements. The
5659								// requirements are ANDed.
5660								"matchExpressions"?: [...{
5661									// key is the label key that the selector applies to.
5662									"key"!: string
5663
5664									// operator represents a key's relationship to a set of values.
5665									// Valid operators are In, NotIn, Exists and DoesNotExist.
5666									"operator"!: string
5667
5668									// values is an array of string values. If the operator is In or
5669									// NotIn,
5670									// the values array must be non-empty. If the operator is Exists
5671									// or DoesNotExist,
5672									// the values array must be empty. This array is replaced during a
5673									// strategic
5674									// merge patch.
5675									"values"?: [...string]
5676								}]
5677
5678								// matchLabels is a map of {key,value} pairs. A single {key,value}
5679								// in the matchLabels
5680								// map is equivalent to an element of matchExpressions, whose key
5681								// field is "key", the
5682								// operator is "In", and the values array contains only "value".
5683								// The requirements are ANDed.
5684								"matchLabels"?: {
5685									[string]: string
5686								}
5687							}
5688						}
5689
5690						// Roles is the list of namespaced role names for the user.
5691						"roles"?: [...string]
5692
5693						// Subjects is the list of subject names like users, user groups,
5694						// and service accounts.
5695						"subjects"?: [...{
5696							// APIGroup holds the API group of the referenced subject.
5697							// Defaults to "" for ServiceAccount subjects.
5698							// Defaults to "rbac.authorization.k8s.io" for User and Group
5699							// subjects.
5700							"apiGroup"?: string
5701
5702							// Kind of object being referenced. Values defined by this API
5703							// group are "User", "Group", and "ServiceAccount".
5704							// If the Authorizer does not recognized the kind value, the
5705							// Authorizer should report an error.
5706							"kind"!: string
5707
5708							// Name of the object being referenced.
5709							"name"!: string
5710
5711							// Namespace of the referenced object. If the object kind is
5712							// non-namespace, such as "User" or "Group", and this value is
5713							// not empty
5714							// the Authorizer should report an error.
5715							"namespace"?: string
5716						}]
5717					}]
5718
5719					// ClusterRoles is the list of cluster-wide role names for the
5720					// user.
5721					"clusterRoles"?: [...string]
5722
5723					// ResourceDescription contains information about the resource
5724					// being created or modified.
5725					// Requires at least one tag to be specified when under
5726					// MatchResources.
5727					// Specifying ResourceDescription directly under match is being
5728					// deprecated.
5729					// Please specify under "any" or "all" instead.
5730					"resources"?: matchN(0, [null | bool | number | string | [...] | {
5731						"name"!:  _
5732						"names"!: _
5733					}]) & {
5734						// Annotations is a map of annotations (key-value pairs of type
5735						// string). Annotation keys
5736						// and values support the wildcard characters "*" (matches zero or
5737						// many characters) and
5738						// "?" (matches at least one character).
5739						"annotations"?: [string]: string
5740
5741						// Kinds is a list of resource kinds.
5742						"kinds"?: [...string]
5743
5744						// Name is the name of the resource. The name supports wildcard
5745						// characters
5746						// "*" (matches zero or many characters) and "?" (at least one
5747						// character).
5748						// NOTE: "Name" is being deprecated in favor of "Names".
5749						"name"?: string
5750
5751						// Names are the names of the resources. Each name supports
5752						// wildcard characters
5753						// "*" (matches zero or many characters) and "?" (at least one
5754						// character).
5755						"names"?: [...string]
5756
5757						// NamespaceSelector is a label selector for the resource
5758						// namespace. Label keys and values
5759						// in `matchLabels` support the wildcard characters `*` (matches
5760						// zero or many characters)
5761						// and `?` (matches one character).Wildcards allows writing label
5762						// selectors like
5763						// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
5764						// any key and value but
5765						// does not match an empty label set.
5766						"namespaceSelector"?: {
5767							// matchExpressions is a list of label selector requirements. The
5768							// requirements are ANDed.
5769							"matchExpressions"?: [...{
5770								// key is the label key that the selector applies to.
5771								"key"!: string
5772
5773								// operator represents a key's relationship to a set of values.
5774								// Valid operators are In, NotIn, Exists and DoesNotExist.
5775								"operator"!: string
5776
5777								// values is an array of string values. If the operator is In or
5778								// NotIn,
5779								// the values array must be non-empty. If the operator is Exists
5780								// or DoesNotExist,
5781								// the values array must be empty. This array is replaced during a
5782								// strategic
5783								// merge patch.
5784								"values"?: [...string]
5785							}]
5786
5787							// matchLabels is a map of {key,value} pairs. A single {key,value}
5788							// in the matchLabels
5789							// map is equivalent to an element of matchExpressions, whose key
5790							// field is "key", the
5791							// operator is "In", and the values array contains only "value".
5792							// The requirements are ANDed.
5793							"matchLabels"?: {
5794								[string]: string
5795							}
5796						}
5797
5798						// Namespaces is a list of namespaces names. Each name supports
5799						// wildcard characters
5800						// "*" (matches zero or many characters) and "?" (at least one
5801						// character).
5802						"namespaces"?: [...string]
5803
5804						// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
5805						// "DELETE"], which are used to match a specific action.
5806						"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
5807
5808						// Selector is a label selector. Label keys and values in
5809						// `matchLabels` support the wildcard
5810						// characters `*` (matches zero or many characters) and `?`
5811						// (matches one character).
5812						// Wildcards allows writing label selectors like
5813						// ["storage.k8s.io/*": "*"]. Note that
5814						// using ["*" : "*"] matches any key and value but does not match
5815						// an empty label set.
5816						"selector"?: {
5817							// matchExpressions is a list of label selector requirements. The
5818							// requirements are ANDed.
5819							"matchExpressions"?: [...{
5820								// key is the label key that the selector applies to.
5821								"key"!: string
5822
5823								// operator represents a key's relationship to a set of values.
5824								// Valid operators are In, NotIn, Exists and DoesNotExist.
5825								"operator"!: string
5826
5827								// values is an array of string values. If the operator is In or
5828								// NotIn,
5829								// the values array must be non-empty. If the operator is Exists
5830								// or DoesNotExist,
5831								// the values array must be empty. This array is replaced during a
5832								// strategic
5833								// merge patch.
5834								"values"?: [...string]
5835							}]
5836
5837							// matchLabels is a map of {key,value} pairs. A single {key,value}
5838							// in the matchLabels
5839							// map is equivalent to an element of matchExpressions, whose key
5840							// field is "key", the
5841							// operator is "In", and the values array contains only "value".
5842							// The requirements are ANDed.
5843							"matchLabels"?: {
5844								[string]: string
5845							}
5846						}
5847					}
5848
5849					// Roles is the list of namespaced role names for the user.
5850					"roles"?: [...string]
5851
5852					// Subjects is the list of subject names like users, user groups,
5853					// and service accounts.
5854					"subjects"?: [...{
5855						// APIGroup holds the API group of the referenced subject.
5856						// Defaults to "" for ServiceAccount subjects.
5857						// Defaults to "rbac.authorization.k8s.io" for User and Group
5858						// subjects.
5859						"apiGroup"?: string
5860
5861						// Kind of object being referenced. Values defined by this API
5862						// group are "User", "Group", and "ServiceAccount".
5863						// If the Authorizer does not recognized the kind value, the
5864						// Authorizer should report an error.
5865						"kind"!: string
5866
5867						// Name of the object being referenced.
5868						"name"!: string
5869
5870						// Namespace of the referenced object. If the object kind is
5871						// non-namespace, such as "User" or "Group", and this value is
5872						// not empty
5873						// the Authorizer should report an error.
5874						"namespace"?: string
5875					}]
5876				}
5877
5878				// Mutation is used to modify matching resources.
5879				"mutate"?: {
5880					// ForEach applies mutation rules to a list of sub-elements by
5881					// creating a context for each entry in the list and looping over
5882					// it to apply the specified logic.
5883					"foreach"?: [...{
5884						// Context defines variables and data sources that can be used
5885						// during rule execution.
5886						"context"?: [...matchN(1, [{
5887							"configMap"!: _
5888						}, {
5889							"apiCall"!: _
5890						}, {
5891							"imageRegistry"!: _
5892						}, {
5893							"variable"!: _
5894						}, {
5895							"globalReference"!: _
5896						}]) & {
5897							// APICall is an HTTP request to the Kubernetes API server, or
5898							// other JSON web service.
5899							// The data returned is stored in the context with the name for
5900							// the context entry.
5901							"apiCall"?: {
5902								// The data object specifies the POST data sent to the server.
5903								// Only applicable when the method field is set to POST.
5904								"data"?: [...{
5905									// Key is a unique identifier for the data value
5906									"key"!: string
5907
5908									// Value is the data value
5909									"value"!: null | bool | number | string | [...] | {
5910										...
5911									}
5912								}]
5913
5914								// Default is an optional arbitrary JSON object that the context
5915								// value is set to, if the apiCall returns error.
5916								"default"?: null | bool | number | string | [...] | {
5917									...
5918								}
5919
5920								// JMESPath is an optional JSON Match Expression that can be used
5921								// to
5922								// transform the JSON response returned from the server. For
5923								// example
5924								// a JMESPath of "items | length(@)" applied to the API server
5925								// response
5926								// for the URLPath "/apis/apps/v1/deployments" will return the
5927								// total count
5928								// of deployments across all namespaces.
5929								"jmesPath"?: string
5930
5931								// Method is the HTTP request type (GET or POST). Defaults to GET.
5932								"method"?: "GET" | "POST"
5933
5934								// Service is an API call to a JSON web service.
5935								// This is used for non-Kubernetes API server calls.
5936								// It's mutually exclusive with the URLPath field.
5937								"service"?: {
5938									// CABundle is a PEM encoded CA bundle which will be used to
5939									// validate
5940									// the server certificate.
5941									"caBundle"?: string
5942
5943									// Headers is a list of optional HTTP headers to be included in
5944									// the request.
5945									"headers"?: [...{
5946										// Key is the header key
5947										"key"!: string
5948
5949										// Value is the header value
5950										"value"!: string
5951									}]
5952
5953									// URL is the JSON web service URL. A typical form is
5954									// `https://{service}.{namespace}:{port}/{path}`.
5955									"url"!: string
5956								}
5957
5958								// URLPath is the URL path to be used in the HTTP GET or POST
5959								// request to the
5960								// Kubernetes API server (e.g. "/api/v1/namespaces" or
5961								// "/apis/apps/v1/deployments").
5962								// The format required is the same format used by the `kubectl get
5963								// --raw` command.
5964								// See
5965								// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
5966								// for details.
5967								// It's mutually exclusive with the Service field.
5968								"urlPath"?: string
5969							}
5970
5971							// ConfigMap is the ConfigMap reference.
5972							"configMap"?: {
5973								// Name is the ConfigMap name.
5974								"name"!: string
5975
5976								// Namespace is the ConfigMap namespace.
5977								"namespace"?: string
5978							}
5979
5980							// GlobalContextEntryReference is a reference to a cached global
5981							// context entry.
5982							"globalReference"?: {
5983								// JMESPath is an optional JSON Match Expression that can be used
5984								// to
5985								// transform the JSON response returned from the server. For
5986								// example
5987								// a JMESPath of "items | length(@)" applied to the API server
5988								// response
5989								// for the URLPath "/apis/apps/v1/deployments" will return the
5990								// total count
5991								// of deployments across all namespaces.
5992								"jmesPath"?: string
5993
5994								// Name of the global context entry
5995								"name"!: string
5996							}
5997
5998							// ImageRegistry defines requests to an OCI/Docker V2 registry to
5999							// fetch image
6000							// details.
6001							"imageRegistry"?: {
6002								// ImageRegistryCredentials provides credentials that will be used
6003								// for authentication with registry
6004								"imageRegistryCredentials"?: {
6005									// AllowInsecureRegistry allows insecure access to a registry.
6006									"allowInsecureRegistry"?: bool
6007
6008									// Providers specifies a list of OCI Registry names, whose
6009									// authentication providers are provided.
6010									// It can be of one of these values:
6011									// default,google,azure,amazon,github.
6012									"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
6013
6014									// Secrets specifies a list of secrets that are provided for
6015									// credentials.
6016									// Secrets must live in the Kyverno namespace.
6017									"secrets"?: [...string]
6018								}
6019
6020								// JMESPath is an optional JSON Match Expression that can be used
6021								// to
6022								// transform the ImageData struct returned as a result of
6023								// processing
6024								// the image reference.
6025								"jmesPath"?: string
6026
6027								// Reference is image reference to a container image in the
6028								// registry.
6029								// Example: ghcr.io/kyverno/kyverno:latest
6030								"reference"!: string
6031							}
6032
6033							// Name is the variable name.
6034							"name"!: string
6035
6036							// Variable defines an arbitrary JMESPath context variable that
6037							// can be defined inline.
6038							"variable"?: {
6039								// Default is an optional arbitrary JSON object that the variable
6040								// may take if the JMESPath
6041								// expression evaluates to nil
6042								"default"?: null | bool | number | string | [...] | {
6043									...
6044								}
6045
6046								// JMESPath is an optional JMESPath Expression that can be used to
6047								// transform the variable.
6048								"jmesPath"?: string
6049
6050								// Value is any arbitrary JSON object representable in YAML or
6051								// JSON form.
6052								"value"?: null | bool | number | string | [...] | {
6053									...
6054								}
6055							}
6056						}]
6057
6058						// Foreach declares a nested foreach iterator
6059						"foreach"?: null | bool | number | string | [...] | {
6060							...
6061						}
6062
6063						// List specifies a JMESPath expression that results in one or
6064						// more elements
6065						// to which the validation logic is applied.
6066						"list"?: string
6067
6068						// Order defines the iteration order on the list.
6069						// Can be Ascending to iterate from first to last element or
6070						// Descending to iterate in from last to first element.
6071						"order"?: "Ascending" | "Descending"
6072
6073						// PatchStrategicMerge is a strategic merge patch used to modify
6074						// resources.
6075						// See
6076						// https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
6077						// and
6078						// https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
6079						"patchStrategicMerge"?: null | bool | number | string | [...] | {
6080							...
6081						}
6082
6083						// PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
6084						// used to modify resources.
6085						// See https://tools.ietf.org/html/rfc6902 and
6086						// https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
6087						"patchesJson6902"?: string
6088
6089						// AnyAllConditions are used to determine if a policy rule should
6090						// be applied by evaluating a
6091						// set of conditions. The declaration can contain nested `any` or
6092						// `all` statements.
6093						// See: https://kyverno.io/docs/writing-policies/preconditions/
6094						"preconditions"?: {
6095							// AllConditions enable variable-based conditional rule execution.
6096							// This is useful for
6097							// finer control of when an rule is applied. A condition can
6098							// reference object data
6099							// using JMESPath notation.
6100							// Here, all of the conditions need to pass
6101							"all"?: [...{
6102								// Key is the context entry (using JMESPath) for conditional rule
6103								// evaluation.
6104								"key"?: null | bool | number | string | [...] | {
6105									...
6106								}
6107
6108								// Message is an optional display message
6109								"message"?: string
6110
6111								// Operator is the conditional operation to perform. Valid
6112								// operators are:
6113								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
6114								// GreaterThanOrEquals,
6115								// GreaterThan, LessThanOrEquals, LessThan,
6116								// DurationGreaterThanOrEquals, DurationGreaterThan,
6117								// DurationLessThanOrEquals, DurationLessThan
6118								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
6119
6120								// Value is the conditional value, or set of values. The values
6121								// can be fixed set
6122								// or can be variables declared using JMESPath.
6123								"value"?: null | bool | number | string | [...] | {
6124									...
6125								}
6126							}]
6127
6128							// AnyConditions enable variable-based conditional rule execution.
6129							// This is useful for
6130							// finer control of when an rule is applied. A condition can
6131							// reference object data
6132							// using JMESPath notation.
6133							// Here, at least one of the conditions need to pass
6134							"any"?: [...{
6135								// Key is the context entry (using JMESPath) for conditional rule
6136								// evaluation.
6137								"key"?: null | bool | number | string | [...] | {
6138									...
6139								}
6140
6141								// Message is an optional display message
6142								"message"?: string
6143
6144								// Operator is the conditional operation to perform. Valid
6145								// operators are:
6146								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
6147								// GreaterThanOrEquals,
6148								// GreaterThan, LessThanOrEquals, LessThan,
6149								// DurationGreaterThanOrEquals, DurationGreaterThan,
6150								// DurationLessThanOrEquals, DurationLessThan
6151								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
6152
6153								// Value is the conditional value, or set of values. The values
6154								// can be fixed set
6155								// or can be variables declared using JMESPath.
6156								"value"?: null | bool | number | string | [...] | {
6157									...
6158								}
6159							}]
6160							...
6161						}
6162					}]
6163
6164					// MutateExistingOnPolicyUpdate controls if the mutateExisting
6165					// rule will be applied on policy events.
6166					"mutateExistingOnPolicyUpdate"?: bool
6167
6168					// PatchStrategicMerge is a strategic merge patch used to modify
6169					// resources.
6170					// See
6171					// https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
6172					// and
6173					// https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
6174					"patchStrategicMerge"?: null | bool | number | string | [...] | {
6175						...
6176					}
6177
6178					// PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
6179					// used to modify resources.
6180					// See https://tools.ietf.org/html/rfc6902 and
6181					// https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
6182					"patchesJson6902"?: string
6183
6184					// Targets defines the target resources to be mutated.
6185					"targets"?: [...{
6186						// APIVersion specifies resource apiVersion.
6187						"apiVersion"?: string
6188
6189						// Context defines variables and data sources that can be used
6190						// during rule execution.
6191						"context"?: [...matchN(1, [{
6192							"configMap"!: _
6193						}, {
6194							"apiCall"!: _
6195						}, {
6196							"imageRegistry"!: _
6197						}, {
6198							"variable"!: _
6199						}, {
6200							"globalReference"!: _
6201						}]) & {
6202							// APICall is an HTTP request to the Kubernetes API server, or
6203							// other JSON web service.
6204							// The data returned is stored in the context with the name for
6205							// the context entry.
6206							"apiCall"?: {
6207								// The data object specifies the POST data sent to the server.
6208								// Only applicable when the method field is set to POST.
6209								"data"?: [...{
6210									// Key is a unique identifier for the data value
6211									"key"!: string
6212
6213									// Value is the data value
6214									"value"!: null | bool | number | string | [...] | {
6215										...
6216									}
6217								}]
6218
6219								// Default is an optional arbitrary JSON object that the context
6220								// value is set to, if the apiCall returns error.
6221								"default"?: null | bool | number | string | [...] | {
6222									...
6223								}
6224
6225								// JMESPath is an optional JSON Match Expression that can be used
6226								// to
6227								// transform the JSON response returned from the server. For
6228								// example
6229								// a JMESPath of "items | length(@)" applied to the API server
6230								// response
6231								// for the URLPath "/apis/apps/v1/deployments" will return the
6232								// total count
6233								// of deployments across all namespaces.
6234								"jmesPath"?: string
6235
6236								// Method is the HTTP request type (GET or POST). Defaults to GET.
6237								"method"?: "GET" | "POST"
6238
6239								// Service is an API call to a JSON web service.
6240								// This is used for non-Kubernetes API server calls.
6241								// It's mutually exclusive with the URLPath field.
6242								"service"?: {
6243									// CABundle is a PEM encoded CA bundle which will be used to
6244									// validate
6245									// the server certificate.
6246									"caBundle"?: string
6247
6248									// Headers is a list of optional HTTP headers to be included in
6249									// the request.
6250									"headers"?: [...{
6251										// Key is the header key
6252										"key"!: string
6253
6254										// Value is the header value
6255										"value"!: string
6256									}]
6257
6258									// URL is the JSON web service URL. A typical form is
6259									// `https://{service}.{namespace}:{port}/{path}`.
6260									"url"!: string
6261								}
6262
6263								// URLPath is the URL path to be used in the HTTP GET or POST
6264								// request to the
6265								// Kubernetes API server (e.g. "/api/v1/namespaces" or
6266								// "/apis/apps/v1/deployments").
6267								// The format required is the same format used by the `kubectl get
6268								// --raw` command.
6269								// See
6270								// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
6271								// for details.
6272								// It's mutually exclusive with the Service field.
6273								"urlPath"?: string
6274							}
6275
6276							// ConfigMap is the ConfigMap reference.
6277							"configMap"?: {
6278								// Name is the ConfigMap name.
6279								"name"!: string
6280
6281								// Namespace is the ConfigMap namespace.
6282								"namespace"?: string
6283							}
6284
6285							// GlobalContextEntryReference is a reference to a cached global
6286							// context entry.
6287							"globalReference"?: {
6288								// JMESPath is an optional JSON Match Expression that can be used
6289								// to
6290								// transform the JSON response returned from the server. For
6291								// example
6292								// a JMESPath of "items | length(@)" applied to the API server
6293								// response
6294								// for the URLPath "/apis/apps/v1/deployments" will return the
6295								// total count
6296								// of deployments across all namespaces.
6297								"jmesPath"?: string
6298
6299								// Name of the global context entry
6300								"name"!: string
6301							}
6302
6303							// ImageRegistry defines requests to an OCI/Docker V2 registry to
6304							// fetch image
6305							// details.
6306							"imageRegistry"?: {
6307								// ImageRegistryCredentials provides credentials that will be used
6308								// for authentication with registry
6309								"imageRegistryCredentials"?: {
6310									// AllowInsecureRegistry allows insecure access to a registry.
6311									"allowInsecureRegistry"?: bool
6312
6313									// Providers specifies a list of OCI Registry names, whose
6314									// authentication providers are provided.
6315									// It can be of one of these values:
6316									// default,google,azure,amazon,github.
6317									"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
6318
6319									// Secrets specifies a list of secrets that are provided for
6320									// credentials.
6321									// Secrets must live in the Kyverno namespace.
6322									"secrets"?: [...string]
6323								}
6324
6325								// JMESPath is an optional JSON Match Expression that can be used
6326								// to
6327								// transform the ImageData struct returned as a result of
6328								// processing
6329								// the image reference.
6330								"jmesPath"?: string
6331
6332								// Reference is image reference to a container image in the
6333								// registry.
6334								// Example: ghcr.io/kyverno/kyverno:latest
6335								"reference"!: string
6336							}
6337
6338							// Name is the variable name.
6339							"name"!: string
6340
6341							// Variable defines an arbitrary JMESPath context variable that
6342							// can be defined inline.
6343							"variable"?: {
6344								// Default is an optional arbitrary JSON object that the variable
6345								// may take if the JMESPath
6346								// expression evaluates to nil
6347								"default"?: null | bool | number | string | [...] | {
6348									...
6349								}
6350
6351								// JMESPath is an optional JMESPath Expression that can be used to
6352								// transform the variable.
6353								"jmesPath"?: string
6354
6355								// Value is any arbitrary JSON object representable in YAML or
6356								// JSON form.
6357								"value"?: null | bool | number | string | [...] | {
6358									...
6359								}
6360							}
6361						}]
6362
6363						// Kind specifies resource kind.
6364						"kind"?: string
6365
6366						// Name specifies the resource name.
6367						"name"?: string
6368
6369						// Namespace specifies resource namespace.
6370						"namespace"?: string
6371
6372						// Preconditions are used to determine if a policy rule should be
6373						// applied by evaluating a
6374						// set of conditions. The declaration can contain nested `any` or
6375						// `all` statements. A direct list
6376						// of conditions (without `any` or `all` statements is supported
6377						// for backwards compatibility but
6378						// will be deprecated in the next major release.
6379						// See: https://kyverno.io/docs/writing-policies/preconditions/
6380						"preconditions"?: null | bool | number | string | [...] | {
6381							...
6382						}
6383
6384						// Selector allows you to select target resources with their
6385						// labels.
6386						"selector"?: {
6387							// matchExpressions is a list of label selector requirements. The
6388							// requirements are ANDed.
6389							"matchExpressions"?: [...{
6390								// key is the label key that the selector applies to.
6391								"key"!: string
6392
6393								// operator represents a key's relationship to a set of values.
6394								// Valid operators are In, NotIn, Exists and DoesNotExist.
6395								"operator"!: string
6396
6397								// values is an array of string values. If the operator is In or
6398								// NotIn,
6399								// the values array must be non-empty. If the operator is Exists
6400								// or DoesNotExist,
6401								// the values array must be empty. This array is replaced during a
6402								// strategic
6403								// merge patch.
6404								"values"?: [...string]
6405							}]
6406
6407							// matchLabels is a map of {key,value} pairs. A single {key,value}
6408							// in the matchLabels
6409							// map is equivalent to an element of matchExpressions, whose key
6410							// field is "key", the
6411							// operator is "In", and the values array contains only "value".
6412							// The requirements are ANDed.
6413							"matchLabels"?: {
6414								[string]: string
6415							}
6416						}
6417
6418						// UID specifies the resource uid.
6419						"uid"?: string
6420					}]
6421				}
6422
6423				// Name is a label to identify the rule, It must be unique within
6424				// the policy.
6425				"name"!: strings.MaxRunes(
6426						63)
6427
6428				// Preconditions are used to determine if a policy rule should be
6429				// applied by evaluating a
6430				// set of conditions. The declaration can contain nested `any` or
6431				// `all` statements. A direct list
6432				// of conditions (without `any` or `all` statements is supported
6433				// for backwards compatibility but
6434				// will be deprecated in the next major release.
6435				// See: https://kyverno.io/docs/writing-policies/preconditions/
6436				"preconditions"?: null | bool | number | string | [...] | {
6437					...
6438				}
6439
6440				// ReportProperties are the additional properties from the rule
6441				// that will be added to the policy report result
6442				"reportProperties"?: {
6443					[string]: string
6444				}
6445
6446				// SkipBackgroundRequests bypasses admission requests that are
6447				// sent by the background controller.
6448				// The default value is set to "true", it must be set to "false"
6449				// to apply
6450				// generate and mutateExisting rules to those requests.
6451				"skipBackgroundRequests"?: bool
6452
6453				// Validation is used to validate matching resources.
6454				"validate"?: {
6455					// AllowExistingViolations allows prexisting violating resources
6456					// to continue violating a policy.
6457					"allowExistingViolations"?: bool
6458
6459					// AnyPattern specifies list of validation patterns. At least one
6460					// of the patterns
6461					// must be satisfied for the validation rule to succeed.
6462					"anyPattern"?: null | bool | number | string | [...] | {
6463						...
6464					}
6465
6466					// Assert defines a kyverno-json assertion tree.
6467					"assert"?: {
6468						...
6469					}
6470
6471					// CEL allows validation checks using the Common Expression
6472					// Language
6473					// (https://kubernetes.io/docs/reference/using-api/cel/).
6474					"cel"?: {
6475						// AuditAnnotations contains CEL expressions which are used to
6476						// produce audit annotations for the audit event of the API
6477						// request.
6478						"auditAnnotations"?: [...{
6479							// key specifies the audit annotation key. The audit annotation
6480							// keys of
6481							// a ValidatingAdmissionPolicy must be unique. The key must be a
6482							// qualified
6483							// name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in
6484							// length.
6485							//
6486							// The key is combined with the resource name of the
6487							// ValidatingAdmissionPolicy to construct an audit annotation key:
6488							// "{ValidatingAdmissionPolicy name}/{key}".
6489							//
6490							// If an admission webhook uses the same resource name as this
6491							// ValidatingAdmissionPolicy
6492							// and the same audit annotation key, the annotation key will be
6493							// identical.
6494							// In this case, the first annotation written with the key will be
6495							// included
6496							// in the audit event and all subsequent annotations with the same
6497							// key
6498							// will be discarded.
6499							//
6500							// Required.
6501							"key"!: string
6502
6503							// valueExpression represents the expression which is evaluated by
6504							// CEL to
6505							// produce an audit annotation value. The expression must evaluate
6506							// to either
6507							// a string or null value. If the expression evaluates to a
6508							// string, the
6509							// audit annotation is included with the string value. If the
6510							// expression
6511							// evaluates to null or empty string the audit annotation will be
6512							// omitted.
6513							// The valueExpression may be no longer than 5kb in length.
6514							// If the result of the valueExpression is more than 10kb in
6515							// length, it
6516							// will be truncated to 10kb.
6517							//
6518							// If multiple ValidatingAdmissionPolicyBinding resources match an
6519							// API request, then the valueExpression will be evaluated for
6520							// each binding. All unique values produced by the
6521							// valueExpressions
6522							// will be joined together in a comma-separated list.
6523							//
6524							// Required.
6525							"valueExpression"!: string
6526						}]
6527
6528						// Expressions is a list of CELExpression types.
6529						"expressions"?: [...{
6530							// Expression represents the expression which will be evaluated by
6531							// CEL.
6532							// ref: https://github.com/google/cel-spec
6533							// CEL expressions have access to the contents of the API
6534							// request/response, organized into CEL variables as well as some
6535							// other useful variables:
6536							//
6537							// - 'object' - The object from the incoming request. The value is
6538							// null for DELETE requests.
6539							// - 'oldObject' - The existing object. The value is null for
6540							// CREATE requests.
6541							// - 'request' - Attributes of the API
6542							// request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
6543							// - 'params' - Parameter resource referred to by the policy
6544							// binding being evaluated. Only populated if the policy has a
6545							// ParamKind.
6546							// - 'namespaceObject' - The namespace object that the incoming
6547							// object belongs to. The value is null for cluster-scoped
6548							// resources.
6549							// - 'variables' - Map of composited variables, from its name to
6550							// its lazily evaluated value.
6551							// For example, a variable named 'foo' can be accessed as
6552							// 'variables.foo'.
6553							// - 'authorizer' - A CEL Authorizer. May be used to perform
6554							// authorization checks for the principal (user or service
6555							// account) of the request.
6556							// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
6557							// - 'authorizer.requestResource' - A CEL ResourceCheck
6558							// constructed from the 'authorizer' and configured with the
6559							// request resource.
6560							//
6561							// The `apiVersion`, `kind`, `metadata.name` and
6562							// `metadata.generateName` are always accessible from the root of
6563							// the
6564							// object. No other metadata properties are accessible.
6565							//
6566							// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
6567							// are accessible.
6568							// Accessible property names are escaped according to the
6569							// following rules when accessed in the expression:
6570							// - '__' escapes to '__underscores__'
6571							// - '.' escapes to '__dot__'
6572							// - '-' escapes to '__dash__'
6573							// - '/' escapes to '__slash__'
6574							// - Property names that exactly match a CEL RESERVED keyword
6575							// escape to '__{keyword}__'. The keywords are:
6576							// "true", "false", "null", "in", "as", "break", "const",
6577							// "continue", "else", "for", "function", "if",
6578							// "import", "let", "loop", "package", "namespace", "return".
6579							// Examples:
6580							// - Expression accessing a property named "namespace":
6581							// {"Expression": "object.__namespace__ > 0"}
6582							// - Expression accessing a property named "x-prop":
6583							// {"Expression": "object.x__dash__prop > 0"}
6584							// - Expression accessing a property named "redact__d":
6585							// {"Expression": "object.redact__underscores__d > 0"}
6586							//
6587							// Equality on arrays with list type of 'set' or 'map' ignores
6588							// element order, i.e. [1, 2] == [2, 1].
6589							// Concatenation on arrays with x-kubernetes-list-type use the
6590							// semantics of the list type:
6591							// - 'set': `X + Y` performs a union where the array positions of
6592							// all elements in `X` are preserved and
6593							// non-intersecting elements in `Y` are appended, retaining their
6594							// partial order.
6595							// - 'map': `X + Y` performs a merge where the array positions of
6596							// all keys in `X` are preserved but the values
6597							// are overwritten by values in `Y` when the key sets of `X` and
6598							// `Y` intersect. Elements in `Y` with
6599							// non-intersecting keys are appended, retaining their partial
6600							// order.
6601							// Required.
6602							"expression"!: string
6603
6604							// Message represents the message displayed when validation fails.
6605							// The message is required if the Expression contains
6606							// line breaks. The message must not contain line breaks.
6607							// If unset, the message is "failed rule: {Rule}".
6608							// e.g. "must be a URL with the host matching spec.host"
6609							// If the Expression contains line breaks. Message is required.
6610							// The message must not contain line breaks.
6611							// If unset, the message is "failed Expression: {Expression}".
6612							"message"?: string
6613
6614							// messageExpression declares a CEL expression that evaluates to
6615							// the validation failure message that is returned when this rule
6616							// fails.
6617							// Since messageExpression is used as a failure message, it must
6618							// evaluate to a string.
6619							// If both message and messageExpression are present on a
6620							// validation, then messageExpression will be used if validation
6621							// fails.
6622							// If messageExpression results in a runtime error, the runtime
6623							// error is logged, and the validation failure message is
6624							// produced
6625							// as if the messageExpression field were unset. If
6626							// messageExpression evaluates to an empty string, a string with
6627							// only spaces, or a string
6628							// that contains line breaks, then the validation failure message
6629							// will also be produced as if the messageExpression field were
6630							// unset, and
6631							// the fact that messageExpression produced an empty string/string
6632							// with only spaces/string with line breaks will be logged.
6633							// messageExpression has access to all the same variables as the
6634							// `expression` except for 'authorizer' and
6635							// 'authorizer.requestResource'.
6636							// Example:
6637							// "object.x must be less than max ("+string(params.max)+")"
6638							"messageExpression"?: string
6639
6640							// Reason represents a machine-readable description of why this
6641							// validation failed.
6642							// If this is the first validation in the list to fail, this
6643							// reason, as well as the
6644							// corresponding HTTP response code, are used in the
6645							// HTTP response to the client.
6646							// The currently supported reasons are: "Unauthorized",
6647							// "Forbidden", "Invalid", "RequestEntityTooLarge".
6648							// If not set, StatusReasonInvalid is used in the response to the
6649							// client.
6650							"reason"?: string
6651						}]
6652
6653						// ParamKind is a tuple of Group Kind and Version.
6654						"paramKind"?: {
6655							// APIVersion is the API group version the resources belong to.
6656							// In format of "group/version".
6657							// Required.
6658							"apiVersion"?: string
6659
6660							// Kind is the API kind the resources belong to.
6661							// Required.
6662							"kind"?: string
6663						}
6664
6665						// ParamRef references a parameter resource.
6666						"paramRef"?: {
6667							// name is the name of the resource being referenced.
6668							//
6669							// One of `name` or `selector` must be set, but `name` and
6670							// `selector` are
6671							// mutually exclusive properties. If one is set, the other must be
6672							// unset.
6673							//
6674							// A single parameter used for all admission requests can be
6675							// configured
6676							// by setting the `name` field, leaving `selector` blank, and
6677							// setting namespace
6678							// if `paramKind` is namespace-scoped.
6679							"name"?: string
6680
6681							// namespace is the namespace of the referenced resource. Allows
6682							// limiting
6683							// the search for params to a specific namespace. Applies to both
6684							// `name` and
6685							// `selector` fields.
6686							//
6687							// A per-namespace parameter may be used by specifying a
6688							// namespace-scoped
6689							// `paramKind` in the policy and leaving this field empty.
6690							//
6691							// - If `paramKind` is cluster-scoped, this field MUST be unset.
6692							// Setting this
6693							// field results in a configuration error.
6694							//
6695							// - If `paramKind` is namespace-scoped, the namespace of the
6696							// object being
6697							// evaluated for admission will be used when this field is left
6698							// unset. Take
6699							// care that if this is left empty the binding must not match any
6700							// cluster-scoped
6701							// resources, which will result in an error.
6702							"namespace"?: string
6703
6704							// `parameterNotFoundAction` controls the behavior of the binding
6705							// when the resource
6706							// exists, and name or selector is valid, but there are no
6707							// parameters
6708							// matched by the binding. If the value is set to `Allow`, then no
6709							// matched parameters will be treated as successful validation by
6710							// the binding.
6711							// If set to `Deny`, then no matched parameters will be subject to
6712							// the
6713							// `failurePolicy` of the policy.
6714							//
6715							// Allowed values are `Allow` or `Deny`
6716							//
6717							// Required
6718							"parameterNotFoundAction"?: string
6719
6720							// selector can be used to match multiple param objects based on
6721							// their labels.
6722							// Supply selector: {} to match all resources of the ParamKind.
6723							//
6724							// If multiple params are found, they are all evaluated with the
6725							// policy expressions
6726							// and the results are ANDed together.
6727							//
6728							// One of `name` or `selector` must be set, but `name` and
6729							// `selector` are
6730							// mutually exclusive properties. If one is set, the other must be
6731							// unset.
6732							"selector"?: {
6733								// matchExpressions is a list of label selector requirements. The
6734								// requirements are ANDed.
6735								"matchExpressions"?: [...{
6736									// key is the label key that the selector applies to.
6737									"key"!: string
6738
6739									// operator represents a key's relationship to a set of values.
6740									// Valid operators are In, NotIn, Exists and DoesNotExist.
6741									"operator"!: string
6742
6743									// values is an array of string values. If the operator is In or
6744									// NotIn,
6745									// the values array must be non-empty. If the operator is Exists
6746									// or DoesNotExist,
6747									// the values array must be empty. This array is replaced during a
6748									// strategic
6749									// merge patch.
6750									"values"?: [...string]
6751								}]
6752
6753								// matchLabels is a map of {key,value} pairs. A single {key,value}
6754								// in the matchLabels
6755								// map is equivalent to an element of matchExpressions, whose key
6756								// field is "key", the
6757								// operator is "In", and the values array contains only "value".
6758								// The requirements are ANDed.
6759								"matchLabels"?: {
6760									[string]: string
6761								}
6762							}
6763						}
6764
6765						// Variables contain definitions of variables that can be used in
6766						// composition of other expressions.
6767						// Each variable is defined as a named CEL expression.
6768						// The variables defined here will be available under `variables`
6769						// in other expressions of the policy.
6770						"variables"?: [...{
6771							// Expression is the expression that will be evaluated as the
6772							// value of the variable.
6773							// The CEL expression has access to the same identifiers as the
6774							// CEL expressions in Validation.
6775							"expression"!: string
6776
6777							// Name is the name of the variable. The name must be a valid CEL
6778							// identifier and unique among all variables.
6779							// The variable can be accessed in other expressions through
6780							// `variables`
6781							// For example, if name is "foo", the variable will be available
6782							// as `variables.foo`
6783							"name"!: string
6784						}]
6785					}
6786
6787					// Deny defines conditions used to pass or fail a validation rule.
6788					"deny"?: {
6789						// Multiple conditions can be declared under an `any` or `all`
6790						// statement. A direct list
6791						// of conditions (without `any` or `all` statements) is also
6792						// supported for backwards compatibility
6793						// but will be deprecated in the next major release.
6794						// See:
6795						// https://kyverno.io/docs/writing-policies/validate/#deny-rules
6796						"conditions"?: null | bool | number | string | [...] | {
6797							...
6798						}
6799					}
6800
6801					// FailureAction defines if a validation policy rule violation
6802					// should block
6803					// the admission review request (Enforce), or allow (Audit) the
6804					// admission review request
6805					// and report an error in a policy report. Optional.
6806					// Allowed values are Audit or Enforce.
6807					"failureAction"?: "Audit" | "Enforce"
6808
6809					// FailureActionOverrides is a Cluster Policy attribute that
6810					// specifies FailureAction
6811					// namespace-wise. It overrides FailureAction for the specified
6812					// namespaces.
6813					"failureActionOverrides"?: [...{
6814						// ValidationFailureAction defines the policy validation failure
6815						// action
6816						"action"?: "audit" | "enforce" | "Audit" | "Enforce"
6817
6818						// A label selector is a label query over a set of resources. The
6819						// result of matchLabels and
6820						// matchExpressions are ANDed. An empty label selector matches all
6821						// objects. A null
6822						// label selector matches no objects.
6823						"namespaceSelector"?: {
6824							// matchExpressions is a list of label selector requirements. The
6825							// requirements are ANDed.
6826							"matchExpressions"?: [...{
6827								// key is the label key that the selector applies to.
6828								"key"!: string
6829
6830								// operator represents a key's relationship to a set of values.
6831								// Valid operators are In, NotIn, Exists and DoesNotExist.
6832								"operator"!: string
6833
6834								// values is an array of string values. If the operator is In or
6835								// NotIn,
6836								// the values array must be non-empty. If the operator is Exists
6837								// or DoesNotExist,
6838								// the values array must be empty. This array is replaced during a
6839								// strategic
6840								// merge patch.
6841								"values"?: [...string]
6842							}]
6843
6844							// matchLabels is a map of {key,value} pairs. A single {key,value}
6845							// in the matchLabels
6846							// map is equivalent to an element of matchExpressions, whose key
6847							// field is "key", the
6848							// operator is "In", and the values array contains only "value".
6849							// The requirements are ANDed.
6850							"matchLabels"?: {
6851								[string]: string
6852							}
6853						}
6854						"namespaces"?: [...string]
6855					}]
6856
6857					// ForEach applies validate rules to a list of sub-elements by
6858					// creating a context for each entry in the list and looping over
6859					// it to apply the specified logic.
6860					"foreach"?: [...{
6861						// AnyPattern specifies list of validation patterns. At least one
6862						// of the patterns
6863						// must be satisfied for the validation rule to succeed.
6864						"anyPattern"?: null | bool | number | string | [...] | {
6865							...
6866						}
6867
6868						// Context defines variables and data sources that can be used
6869						// during rule execution.
6870						"context"?: [...matchN(1, [{
6871							"configMap"!: _
6872						}, {
6873							"apiCall"!: _
6874						}, {
6875							"imageRegistry"!: _
6876						}, {
6877							"variable"!: _
6878						}, {
6879							"globalReference"!: _
6880						}]) & {
6881							// APICall is an HTTP request to the Kubernetes API server, or
6882							// other JSON web service.
6883							// The data returned is stored in the context with the name for
6884							// the context entry.
6885							"apiCall"?: {
6886								// The data object specifies the POST data sent to the server.
6887								// Only applicable when the method field is set to POST.
6888								"data"?: [...{
6889									// Key is a unique identifier for the data value
6890									"key"!: string
6891
6892									// Value is the data value
6893									"value"!: null | bool | number | string | [...] | {
6894										...
6895									}
6896								}]
6897
6898								// Default is an optional arbitrary JSON object that the context
6899								// value is set to, if the apiCall returns error.
6900								"default"?: null | bool | number | string | [...] | {
6901									...
6902								}
6903
6904								// JMESPath is an optional JSON Match Expression that can be used
6905								// to
6906								// transform the JSON response returned from the server. For
6907								// example
6908								// a JMESPath of "items | length(@)" applied to the API server
6909								// response
6910								// for the URLPath "/apis/apps/v1/deployments" will return the
6911								// total count
6912								// of deployments across all namespaces.
6913								"jmesPath"?: string
6914
6915								// Method is the HTTP request type (GET or POST). Defaults to GET.
6916								"method"?: "GET" | "POST"
6917
6918								// Service is an API call to a JSON web service.
6919								// This is used for non-Kubernetes API server calls.
6920								// It's mutually exclusive with the URLPath field.
6921								"service"?: {
6922									// CABundle is a PEM encoded CA bundle which will be used to
6923									// validate
6924									// the server certificate.
6925									"caBundle"?: string
6926
6927									// Headers is a list of optional HTTP headers to be included in
6928									// the request.
6929									"headers"?: [...{
6930										// Key is the header key
6931										"key"!: string
6932
6933										// Value is the header value
6934										"value"!: string
6935									}]
6936
6937									// URL is the JSON web service URL. A typical form is
6938									// `https://{service}.{namespace}:{port}/{path}`.
6939									"url"!: string
6940								}
6941
6942								// URLPath is the URL path to be used in the HTTP GET or POST
6943								// request to the
6944								// Kubernetes API server (e.g. "/api/v1/namespaces" or
6945								// "/apis/apps/v1/deployments").
6946								// The format required is the same format used by the `kubectl get
6947								// --raw` command.
6948								// See
6949								// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
6950								// for details.
6951								// It's mutually exclusive with the Service field.
6952								"urlPath"?: string
6953							}
6954
6955							// ConfigMap is the ConfigMap reference.
6956							"configMap"?: {
6957								// Name is the ConfigMap name.
6958								"name"!: string
6959
6960								// Namespace is the ConfigMap namespace.
6961								"namespace"?: string
6962							}
6963
6964							// GlobalContextEntryReference is a reference to a cached global
6965							// context entry.
6966							"globalReference"?: {
6967								// JMESPath is an optional JSON Match Expression that can be used
6968								// to
6969								// transform the JSON response returned from the server. For
6970								// example
6971								// a JMESPath of "items | length(@)" applied to the API server
6972								// response
6973								// for the URLPath "/apis/apps/v1/deployments" will return the
6974								// total count
6975								// of deployments across all namespaces.
6976								"jmesPath"?: string
6977
6978								// Name of the global context entry
6979								"name"!: string
6980							}
6981
6982							// ImageRegistry defines requests to an OCI/Docker V2 registry to
6983							// fetch image
6984							// details.
6985							"imageRegistry"?: {
6986								// ImageRegistryCredentials provides credentials that will be used
6987								// for authentication with registry
6988								"imageRegistryCredentials"?: {
6989									// AllowInsecureRegistry allows insecure access to a registry.
6990									"allowInsecureRegistry"?: bool
6991
6992									// Providers specifies a list of OCI Registry names, whose
6993									// authentication providers are provided.
6994									// It can be of one of these values:
6995									// default,google,azure,amazon,github.
6996									"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
6997
6998									// Secrets specifies a list of secrets that are provided for
6999									// credentials.
7000									// Secrets must live in the Kyverno namespace.
7001									"secrets"?: [...string]
7002								}
7003
7004								// JMESPath is an optional JSON Match Expression that can be used
7005								// to
7006								// transform the ImageData struct returned as a result of
7007								// processing
7008								// the image reference.
7009								"jmesPath"?: string
7010
7011								// Reference is image reference to a container image in the
7012								// registry.
7013								// Example: ghcr.io/kyverno/kyverno:latest
7014								"reference"!: string
7015							}
7016
7017							// Name is the variable name.
7018							"name"!: string
7019
7020							// Variable defines an arbitrary JMESPath context variable that
7021							// can be defined inline.
7022							"variable"?: {
7023								// Default is an optional arbitrary JSON object that the variable
7024								// may take if the JMESPath
7025								// expression evaluates to nil
7026								"default"?: null | bool | number | string | [...] | {
7027									...
7028								}
7029
7030								// JMESPath is an optional JMESPath Expression that can be used to
7031								// transform the variable.
7032								"jmesPath"?: string
7033
7034								// Value is any arbitrary JSON object representable in YAML or
7035								// JSON form.
7036								"value"?: null | bool | number | string | [...] | {
7037									...
7038								}
7039							}
7040						}]
7041
7042						// Deny defines conditions used to pass or fail a validation rule.
7043						"deny"?: {
7044							// Multiple conditions can be declared under an `any` or `all`
7045							// statement. A direct list
7046							// of conditions (without `any` or `all` statements) is also
7047							// supported for backwards compatibility
7048							// but will be deprecated in the next major release.
7049							// See:
7050							// https://kyverno.io/docs/writing-policies/validate/#deny-rules
7051							"conditions"?: null | bool | number | string | [...] | {
7052								...
7053							}
7054						}
7055
7056						// ElementScope specifies whether to use the current list element
7057						// as the scope for validation. Defaults to "true" if not
7058						// specified.
7059						// When set to "false", "request.object" is used as the validation
7060						// scope within the foreach
7061						// block to allow referencing other elements in the subtree.
7062						"elementScope"?: bool
7063
7064						// Foreach declares a nested foreach iterator
7065						"foreach"?: null | bool | number | string | [...] | {
7066							...
7067						}
7068
7069						// List specifies a JMESPath expression that results in one or
7070						// more elements
7071						// to which the validation logic is applied.
7072						"list"?: string
7073
7074						// Pattern specifies an overlay-style pattern used to check
7075						// resources.
7076						"pattern"?: null | bool | number | string | [...] | {
7077							...
7078						}
7079
7080						// AnyAllConditions are used to determine if a policy rule should
7081						// be applied by evaluating a
7082						// set of conditions. The declaration can contain nested `any` or
7083						// `all` statements.
7084						// See: https://kyverno.io/docs/writing-policies/preconditions/
7085						"preconditions"?: {
7086							// AllConditions enable variable-based conditional rule execution.
7087							// This is useful for
7088							// finer control of when an rule is applied. A condition can
7089							// reference object data
7090							// using JMESPath notation.
7091							// Here, all of the conditions need to pass
7092							"all"?: [...{
7093								// Key is the context entry (using JMESPath) for conditional rule
7094								// evaluation.
7095								"key"?: null | bool | number | string | [...] | {
7096									...
7097								}
7098
7099								// Message is an optional display message
7100								"message"?: string
7101
7102								// Operator is the conditional operation to perform. Valid
7103								// operators are:
7104								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
7105								// GreaterThanOrEquals,
7106								// GreaterThan, LessThanOrEquals, LessThan,
7107								// DurationGreaterThanOrEquals, DurationGreaterThan,
7108								// DurationLessThanOrEquals, DurationLessThan
7109								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
7110
7111								// Value is the conditional value, or set of values. The values
7112								// can be fixed set
7113								// or can be variables declared using JMESPath.
7114								"value"?: null | bool | number | string | [...] | {
7115									...
7116								}
7117							}]
7118
7119							// AnyConditions enable variable-based conditional rule execution.
7120							// This is useful for
7121							// finer control of when an rule is applied. A condition can
7122							// reference object data
7123							// using JMESPath notation.
7124							// Here, at least one of the conditions need to pass
7125							"any"?: [...{
7126								// Key is the context entry (using JMESPath) for conditional rule
7127								// evaluation.
7128								"key"?: null | bool | number | string | [...] | {
7129									...
7130								}
7131
7132								// Message is an optional display message
7133								"message"?: string
7134
7135								// Operator is the conditional operation to perform. Valid
7136								// operators are:
7137								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
7138								// GreaterThanOrEquals,
7139								// GreaterThan, LessThanOrEquals, LessThan,
7140								// DurationGreaterThanOrEquals, DurationGreaterThan,
7141								// DurationLessThanOrEquals, DurationLessThan
7142								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
7143
7144								// Value is the conditional value, or set of values. The values
7145								// can be fixed set
7146								// or can be variables declared using JMESPath.
7147								"value"?: null | bool | number | string | [...] | {
7148									...
7149								}
7150							}]
7151							...
7152						}
7153					}]
7154
7155					// Manifest specifies conditions for manifest verification
7156					"manifests"?: {
7157						// AnnotationDomain is custom domain of annotation for message and
7158						// signature. Default is "cosign.sigstore.dev".
7159						"annotationDomain"?: string
7160
7161						// Attestors specified the required attestors (i.e. authorities)
7162						"attestors"?: [...{
7163							// Count specifies the required number of entries that must match.
7164							// If the count is null, all entries must match
7165							// (a logical AND). If the count is 1, at least one entry must
7166							// match (a logical OR). If the count contains a
7167							// value N, then N must be less than or equal to the size of
7168							// entries, and at least N entries must match.
7169							"count"?: int & >=1
7170
7171							// Entries contains the available attestors. An attestor can be a
7172							// static key,
7173							// attributes for keyless verification, or a nested attestor
7174							// declaration.
7175							"entries"?: [...{
7176								// Annotations are used for image verification.
7177								// Every specified key-value pair must exist and match in the
7178								// verified payload.
7179								// The payload may contain other key-value pairs.
7180								"annotations"?: [string]: string
7181
7182								// Attestor is a nested set of Attestor used to specify a more
7183								// complex set of match authorities.
7184								"attestor"?: null | bool | number | string | [...] | {
7185									...
7186								}
7187
7188								// Certificates specifies one or more certificates.
7189								"certificates"?: {
7190									// Cert is an optional PEM-encoded public certificate.
7191									"cert"?: string
7192
7193									// CertChain is an optional PEM encoded set of certificates used
7194									// to verify.
7195									"certChain"?: string
7196
7197									// CTLog (certificate timestamp log) provides a configuration for
7198									// validation of Signed Certificate
7199									// Timestamps (SCTs). If the value is unset, the default behavior
7200									// by Cosign is used.
7201									"ctlog"?: {
7202										// IgnoreSCT defines whether to use the Signed Certificate
7203										// Timestamp (SCT) log to check for a certificate
7204										// timestamp. Default is false. Set to true if this was opted out
7205										// during signing.
7206										"ignoreSCT"?: bool
7207
7208										// PubKey, if set, is used to validate SCTs against a custom
7209										// source.
7210										"pubkey"?: string
7211
7212										// TSACertChain, if set, is the PEM-encoded certificate chain file
7213										// for the RFC3161 timestamp authority. Must
7214										// contain the root CA certificate. Optionally may contain
7215										// intermediate CA certificates, and
7216										// may contain the leaf TSA certificate if not present in the
7217										// timestamurce.
7218										"tsaCertChain"?: string
7219									}
7220
7221									// Rekor provides configuration for the Rekor transparency log
7222									// service. If an empty object
7223									// is provided the public instance of Rekor
7224									// (https://rekor.sigstore.dev) is used.
7225									"rekor"?: {
7226										// IgnoreTlog skips transparency log verification.
7227										"ignoreTlog"?: bool
7228
7229										// RekorPubKey is an optional PEM-encoded public key to use for a
7230										// custom Rekor.
7231										// If set, this will be used to validate transparency log
7232										// signatures from a custom Rekor.
7233										"pubkey"?: string
7234
7235										// URL is the address of the transparency log. Defaults to the
7236										// public Rekor log instance https://rekor.sigstore.dev.
7237										"url"?: string
7238									}
7239								}
7240
7241								// Keyless is a set of attribute used to verify a Sigstore keyless
7242								// attestor.
7243								// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
7244								"keyless"?: {
7245									// AdditionalExtensions are certificate-extensions used for
7246									// keyless signing.
7247									"additionalExtensions"?: [string]: string
7248
7249									// CTLog (certificate timestamp log) provides a configuration for
7250									// validation of Signed Certificate
7251									// Timestamps (SCTs). If the value is unset, the default behavior
7252									// by Cosign is used.
7253									"ctlog"?: {
7254										// IgnoreSCT defines whether to use the Signed Certificate
7255										// Timestamp (SCT) log to check for a certificate
7256										// timestamp. Default is false. Set to true if this was opted out
7257										// during signing.
7258										"ignoreSCT"?: bool
7259
7260										// PubKey, if set, is used to validate SCTs against a custom
7261										// source.
7262										"pubkey"?: string
7263
7264										// TSACertChain, if set, is the PEM-encoded certificate chain file
7265										// for the RFC3161 timestamp authority. Must
7266										// contain the root CA certificate. Optionally may contain
7267										// intermediate CA certificates, and
7268										// may contain the leaf TSA certificate if not present in the
7269										// timestamurce.
7270										"tsaCertChain"?: string
7271									}
7272
7273									// Issuer is the certificate issuer used for keyless signing.
7274									"issuer"?: string
7275
7276									// IssuerRegExp is the regular expression to match certificate
7277									// issuer used for keyless signing.
7278									"issuerRegExp"?: string
7279
7280									// Rekor provides configuration for the Rekor transparency log
7281									// service. If an empty object
7282									// is provided the public instance of Rekor
7283									// (https://rekor.sigstore.dev) is used.
7284									"rekor"?: {
7285										// IgnoreTlog skips transparency log verification.
7286										"ignoreTlog"?: bool
7287
7288										// RekorPubKey is an optional PEM-encoded public key to use for a
7289										// custom Rekor.
7290										// If set, this will be used to validate transparency log
7291										// signatures from a custom Rekor.
7292										"pubkey"?: string
7293
7294										// URL is the address of the transparency log. Defaults to the
7295										// public Rekor log instance https://rekor.sigstore.dev.
7296										"url"?: string
7297									}
7298
7299									// Roots is an optional set of PEM encoded trusted root
7300									// certificates.
7301									// If not provided, the system roots are used.
7302									"roots"?: string
7303
7304									// Subject is the verified identity used for keyless signing, for
7305									// example the email address.
7306									"subject"?: string
7307
7308									// SubjectRegExp is the regular expression to match identity used
7309									// for keyless signing, for example the email address.
7310									"subjectRegExp"?: string
7311								}
7312
7313								// Keys specifies one or more public keys.
7314								"keys"?: {
7315									// CTLog (certificate timestamp log) provides a configuration for
7316									// validation of Signed Certificate
7317									// Timestamps (SCTs). If the value is unset, the default behavior
7318									// by Cosign is used.
7319									"ctlog"?: {
7320										// IgnoreSCT defines whether to use the Signed Certificate
7321										// Timestamp (SCT) log to check for a certificate
7322										// timestamp. Default is false. Set to true if this was opted out
7323										// during signing.
7324										"ignoreSCT"?: bool
7325
7326										// PubKey, if set, is used to validate SCTs against a custom
7327										// source.
7328										"pubkey"?: string
7329
7330										// TSACertChain, if set, is the PEM-encoded certificate chain file
7331										// for the RFC3161 timestamp authority. Must
7332										// contain the root CA certificate. Optionally may contain
7333										// intermediate CA certificates, and
7334										// may contain the leaf TSA certificate if not present in the
7335										// timestamurce.
7336										"tsaCertChain"?: string
7337									}
7338
7339									// KMS provides the URI to the public key stored in a Key
7340									// Management System. See:
7341									// https://github.com/sigstore/cosign/blob/main/KMS.md
7342									"kms"?: string
7343
7344									// Keys is a set of X.509 public keys used to verify image
7345									// signatures. The keys can be directly
7346									// specified or can be a variable reference to a key specified in
7347									// a ConfigMap (see
7348									// https://kyverno.io/docs/writing-policies/variables/), or
7349									// reference a standard Kubernetes Secret
7350									// elsewhere in the cluster by specifying it in the format
7351									// "k8s://<namespace>/<secret_name>".
7352									// The named Secret must specify a key `cosign.pub` containing the
7353									// public key used for
7354									// verification, (see
7355									// https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
7356									// When multiple keys are specified each key is processed as a
7357									// separate staticKey entry
7358									// (.attestors[*].entries.keys) within the set of attestors and
7359									// the count is applied across the keys.
7360									"publicKeys"?: string
7361
7362									// Rekor provides configuration for the Rekor transparency log
7363									// service. If an empty object
7364									// is provided the public instance of Rekor
7365									// (https://rekor.sigstore.dev) is used.
7366									"rekor"?: {
7367										// IgnoreTlog skips transparency log verification.
7368										"ignoreTlog"?: bool
7369
7370										// RekorPubKey is an optional PEM-encoded public key to use for a
7371										// custom Rekor.
7372										// If set, this will be used to validate transparency log
7373										// signatures from a custom Rekor.
7374										"pubkey"?: string
7375
7376										// URL is the address of the transparency log. Defaults to the
7377										// public Rekor log instance https://rekor.sigstore.dev.
7378										"url"?: string
7379									}
7380
7381									// Reference to a Secret resource that contains a public key
7382									"secret"?: {
7383										// Name of the secret. The provided secret must contain a key
7384										// named cosign.pub.
7385										"name"!: string
7386
7387										// Namespace name where the Secret exists.
7388										"namespace"!: string
7389									}
7390
7391									// Deprecated. Use attestor.signatureAlgorithm instead.
7392									"signatureAlgorithm"?: string
7393								}
7394
7395								// Repository is an optional alternate OCI repository to use for
7396								// signatures and attestations that match this rule.
7397								// If specified Repository will override other OCI image
7398								// repository locations for this Attestor.
7399								"repository"?: string
7400
7401								// Specify signature algorithm for public keys. Supported values
7402								// are sha224, sha256, sha384 and sha512.
7403								"signatureAlgorithm"?: string
7404							}]
7405						}]
7406
7407						// DryRun configuration
7408						"dryRun"?: {
7409							"enable"?:    bool
7410							"namespace"?: string
7411						}
7412
7413						// Fields which will be ignored while comparing manifests.
7414						"ignoreFields"?: [...{
7415							"fields"?: [...string]
7416							"objects"?: [...{
7417								"group"?:     string
7418								"kind"?:      string
7419								"name"?:      string
7420								"namespace"?: string
7421								"version"?:   string
7422							}]
7423						}]
7424
7425						// Repository is an optional alternate OCI repository to use for
7426						// resource bundle reference.
7427						// The repository can be overridden per Attestor or Attestation.
7428						"repository"?: string
7429					}
7430
7431					// Message specifies a custom message to be displayed on failure.
7432					"message"?: string
7433
7434					// Pattern specifies an overlay-style pattern used to check
7435					// resources.
7436					"pattern"?: null | bool | number | string | [...] | {
7437						...
7438					}
7439
7440					// PodSecurity applies exemptions for Kubernetes Pod Security
7441					// admission
7442					// by specifying exclusions for Pod Security Standards controls.
7443					"podSecurity"?: {
7444						// Exclude specifies the Pod Security Standard controls to be
7445						// excluded.
7446						"exclude"?: [...{
7447							// ControlName specifies the name of the Pod Security Standard
7448							// control.
7449							// See:
7450							// https://kubernetes.io/docs/concepts/security/pod-security-standards/
7451							"controlName"!: "HostProcess" | "Host Namespaces" | "Privileged Containers" | "Capabilities" | "HostPath Volumes" | "Host Ports" | "AppArmor" | "SELinux" | "/proc Mount Type" | "Seccomp" | "Sysctls" | "Volume Types" | "Privilege Escalation" | "Running as Non-root" | "Running as Non-root user"
7452
7453							// Images selects matching containers and applies the container
7454							// level PSS.
7455							// Each image is the image name consisting of the registry
7456							// address, repository, image, and tag.
7457							// Empty list matches no containers, PSS checks are applied at the
7458							// pod level only.
7459							// Wildcards ('*' and '?') are allowed. See:
7460							// https://kubernetes.io/docs/concepts/containers/images.
7461							"images"?: [...string]
7462
7463							// RestrictedField selects the field for the given Pod Security
7464							// Standard control.
7465							// When not set, all restricted fields for the control are
7466							// selected.
7467							"restrictedField"?: string
7468
7469							// Values defines the allowed values that can be excluded.
7470							"values"?: [...string]
7471						}]
7472
7473						// Level defines the Pod Security Standard level to be applied to
7474						// workloads.
7475						// Allowed values are privileged, baseline, and restricted.
7476						"level"?: "privileged" | "baseline" | "restricted"
7477
7478						// Version defines the Pod Security Standard versions that
7479						// Kubernetes supports.
7480						// Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
7481						// v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
7482						"version"?: "v1.19" | "v1.20" | "v1.21" | "v1.22" | "v1.23" | "v1.24" | "v1.25" | "v1.26" | "v1.27" | "v1.28" | "v1.29" | "latest"
7483					}
7484				}
7485
7486				// VerifyImages is used to verify image signatures and mutate them
7487				// to add a digest
7488				"verifyImages"?: [...{
7489					// Deprecated.
7490					"additionalExtensions"?: [string]: string
7491
7492					// Deprecated. Use annotations per Attestor instead.
7493					"annotations"?: {
7494						[string]: string
7495					}
7496
7497					// Attestations are optional checks for signed in-toto Statements
7498					// used to verify the image.
7499					// See https://github.com/in-toto/attestation. Kyverno fetches
7500					// signed attestations from the
7501					// OCI registry and decodes them into a list of Statement
7502					// declarations.
7503					"attestations"?: [...{
7504						// Attestors specify the required attestors (i.e. authorities).
7505						"attestors"?: [...{
7506							// Count specifies the required number of entries that must match.
7507							// If the count is null, all entries must match
7508							// (a logical AND). If the count is 1, at least one entry must
7509							// match (a logical OR). If the count contains a
7510							// value N, then N must be less than or equal to the size of
7511							// entries, and at least N entries must match.
7512							"count"?: int & >=1
7513
7514							// Entries contains the available attestors. An attestor can be a
7515							// static key,
7516							// attributes for keyless verification, or a nested attestor
7517							// declaration.
7518							"entries"?: [...{
7519								// Annotations are used for image verification.
7520								// Every specified key-value pair must exist and match in the
7521								// verified payload.
7522								// The payload may contain other key-value pairs.
7523								"annotations"?: [string]: string
7524
7525								// Attestor is a nested set of Attestor used to specify a more
7526								// complex set of match authorities.
7527								"attestor"?: null | bool | number | string | [...] | {
7528									...
7529								}
7530
7531								// Certificates specifies one or more certificates.
7532								"certificates"?: {
7533									// Cert is an optional PEM-encoded public certificate.
7534									"cert"?: string
7535
7536									// CertChain is an optional PEM encoded set of certificates used
7537									// to verify.
7538									"certChain"?: string
7539
7540									// CTLog (certificate timestamp log) provides a configuration for
7541									// validation of Signed Certificate
7542									// Timestamps (SCTs). If the value is unset, the default behavior
7543									// by Cosign is used.
7544									"ctlog"?: {
7545										// IgnoreSCT defines whether to use the Signed Certificate
7546										// Timestamp (SCT) log to check for a certificate
7547										// timestamp. Default is false. Set to true if this was opted out
7548										// during signing.
7549										"ignoreSCT"?: bool
7550
7551										// PubKey, if set, is used to validate SCTs against a custom
7552										// source.
7553										"pubkey"?: string
7554
7555										// TSACertChain, if set, is the PEM-encoded certificate chain file
7556										// for the RFC3161 timestamp authority. Must
7557										// contain the root CA certificate. Optionally may contain
7558										// intermediate CA certificates, and
7559										// may contain the leaf TSA certificate if not present in the
7560										// timestamurce.
7561										"tsaCertChain"?: string
7562									}
7563
7564									// Rekor provides configuration for the Rekor transparency log
7565									// service. If an empty object
7566									// is provided the public instance of Rekor
7567									// (https://rekor.sigstore.dev) is used.
7568									"rekor"?: {
7569										// IgnoreTlog skips transparency log verification.
7570										"ignoreTlog"?: bool
7571
7572										// RekorPubKey is an optional PEM-encoded public key to use for a
7573										// custom Rekor.
7574										// If set, this will be used to validate transparency log
7575										// signatures from a custom Rekor.
7576										"pubkey"?: string
7577
7578										// URL is the address of the transparency log. Defaults to the
7579										// public Rekor log instance https://rekor.sigstore.dev.
7580										"url"?: string
7581									}
7582								}
7583
7584								// Keyless is a set of attribute used to verify a Sigstore keyless
7585								// attestor.
7586								// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
7587								"keyless"?: {
7588									// AdditionalExtensions are certificate-extensions used for
7589									// keyless signing.
7590									"additionalExtensions"?: [string]: string
7591
7592									// CTLog (certificate timestamp log) provides a configuration for
7593									// validation of Signed Certificate
7594									// Timestamps (SCTs). If the value is unset, the default behavior
7595									// by Cosign is used.
7596									"ctlog"?: {
7597										// IgnoreSCT defines whether to use the Signed Certificate
7598										// Timestamp (SCT) log to check for a certificate
7599										// timestamp. Default is false. Set to true if this was opted out
7600										// during signing.
7601										"ignoreSCT"?: bool
7602
7603										// PubKey, if set, is used to validate SCTs against a custom
7604										// source.
7605										"pubkey"?: string
7606
7607										// TSACertChain, if set, is the PEM-encoded certificate chain file
7608										// for the RFC3161 timestamp authority. Must
7609										// contain the root CA certificate. Optionally may contain
7610										// intermediate CA certificates, and
7611										// may contain the leaf TSA certificate if not present in the
7612										// timestamurce.
7613										"tsaCertChain"?: string
7614									}
7615
7616									// Issuer is the certificate issuer used for keyless signing.
7617									"issuer"?: string
7618
7619									// IssuerRegExp is the regular expression to match certificate
7620									// issuer used for keyless signing.
7621									"issuerRegExp"?: string
7622
7623									// Rekor provides configuration for the Rekor transparency log
7624									// service. If an empty object
7625									// is provided the public instance of Rekor
7626									// (https://rekor.sigstore.dev) is used.
7627									"rekor"?: {
7628										// IgnoreTlog skips transparency log verification.
7629										"ignoreTlog"?: bool
7630
7631										// RekorPubKey is an optional PEM-encoded public key to use for a
7632										// custom Rekor.
7633										// If set, this will be used to validate transparency log
7634										// signatures from a custom Rekor.
7635										"pubkey"?: string
7636
7637										// URL is the address of the transparency log. Defaults to the
7638										// public Rekor log instance https://rekor.sigstore.dev.
7639										"url"?: string
7640									}
7641
7642									// Roots is an optional set of PEM encoded trusted root
7643									// certificates.
7644									// If not provided, the system roots are used.
7645									"roots"?: string
7646
7647									// Subject is the verified identity used for keyless signing, for
7648									// example the email address.
7649									"subject"?: string
7650
7651									// SubjectRegExp is the regular expression to match identity used
7652									// for keyless signing, for example the email address.
7653									"subjectRegExp"?: string
7654								}
7655
7656								// Keys specifies one or more public keys.
7657								"keys"?: {
7658									// CTLog (certificate timestamp log) provides a configuration for
7659									// validation of Signed Certificate
7660									// Timestamps (SCTs). If the value is unset, the default behavior
7661									// by Cosign is used.
7662									"ctlog"?: {
7663										// IgnoreSCT defines whether to use the Signed Certificate
7664										// Timestamp (SCT) log to check for a certificate
7665										// timestamp. Default is false. Set to true if this was opted out
7666										// during signing.
7667										"ignoreSCT"?: bool
7668
7669										// PubKey, if set, is used to validate SCTs against a custom
7670										// source.
7671										"pubkey"?: string
7672
7673										// TSACertChain, if set, is the PEM-encoded certificate chain file
7674										// for the RFC3161 timestamp authority. Must
7675										// contain the root CA certificate. Optionally may contain
7676										// intermediate CA certificates, and
7677										// may contain the leaf TSA certificate if not present in the
7678										// timestamurce.
7679										"tsaCertChain"?: string
7680									}
7681
7682									// KMS provides the URI to the public key stored in a Key
7683									// Management System. See:
7684									// https://github.com/sigstore/cosign/blob/main/KMS.md
7685									"kms"?: string
7686
7687									// Keys is a set of X.509 public keys used to verify image
7688									// signatures. The keys can be directly
7689									// specified or can be a variable reference to a key specified in
7690									// a ConfigMap (see
7691									// https://kyverno.io/docs/writing-policies/variables/), or
7692									// reference a standard Kubernetes Secret
7693									// elsewhere in the cluster by specifying it in the format
7694									// "k8s://<namespace>/<secret_name>".
7695									// The named Secret must specify a key `cosign.pub` containing the
7696									// public key used for
7697									// verification, (see
7698									// https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
7699									// When multiple keys are specified each key is processed as a
7700									// separate staticKey entry
7701									// (.attestors[*].entries.keys) within the set of attestors and
7702									// the count is applied across the keys.
7703									"publicKeys"?: string
7704
7705									// Rekor provides configuration for the Rekor transparency log
7706									// service. If an empty object
7707									// is provided the public instance of Rekor
7708									// (https://rekor.sigstore.dev) is used.
7709									"rekor"?: {
7710										// IgnoreTlog skips transparency log verification.
7711										"ignoreTlog"?: bool
7712
7713										// RekorPubKey is an optional PEM-encoded public key to use for a
7714										// custom Rekor.
7715										// If set, this will be used to validate transparency log
7716										// signatures from a custom Rekor.
7717										"pubkey"?: string
7718
7719										// URL is the address of the transparency log. Defaults to the
7720										// public Rekor log instance https://rekor.sigstore.dev.
7721										"url"?: string
7722									}
7723
7724									// Reference to a Secret resource that contains a public key
7725									"secret"?: {
7726										// Name of the secret. The provided secret must contain a key
7727										// named cosign.pub.
7728										"name"!: string
7729
7730										// Namespace name where the Secret exists.
7731										"namespace"!: string
7732									}
7733
7734									// Deprecated. Use attestor.signatureAlgorithm instead.
7735									"signatureAlgorithm"?: string
7736								}
7737
7738								// Repository is an optional alternate OCI repository to use for
7739								// signatures and attestations that match this rule.
7740								// If specified Repository will override other OCI image
7741								// repository locations for this Attestor.
7742								"repository"?: string
7743
7744								// Specify signature algorithm for public keys. Supported values
7745								// are sha224, sha256, sha384 and sha512.
7746								"signatureAlgorithm"?: string
7747							}]
7748						}]
7749
7750						// Conditions are used to verify attributes within a Predicate. If
7751						// no Conditions are specified
7752						// the attestation check is satisfied as long there are predicates
7753						// that match the predicate type.
7754						"conditions"?: [...{
7755							// AllConditions enable variable-based conditional rule execution.
7756							// This is useful for
7757							// finer control of when an rule is applied. A condition can
7758							// reference object data
7759							// using JMESPath notation.
7760							// Here, all of the conditions need to pass
7761							"all"?: [...{
7762								// Key is the context entry (using JMESPath) for conditional rule
7763								// evaluation.
7764								"key"?: null | bool | number | string | [...] | {
7765									...
7766								}
7767
7768								// Message is an optional display message
7769								"message"?: string
7770
7771								// Operator is the conditional operation to perform. Valid
7772								// operators are:
7773								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
7774								// GreaterThanOrEquals,
7775								// GreaterThan, LessThanOrEquals, LessThan,
7776								// DurationGreaterThanOrEquals, DurationGreaterThan,
7777								// DurationLessThanOrEquals, DurationLessThan
7778								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
7779
7780								// Value is the conditional value, or set of values. The values
7781								// can be fixed set
7782								// or can be variables declared using JMESPath.
7783								"value"?: null | bool | number | string | [...] | {
7784									...
7785								}
7786							}]
7787
7788							// AnyConditions enable variable-based conditional rule execution.
7789							// This is useful for
7790							// finer control of when an rule is applied. A condition can
7791							// reference object data
7792							// using JMESPath notation.
7793							// Here, at least one of the conditions need to pass
7794							"any"?: [...{
7795								// Key is the context entry (using JMESPath) for conditional rule
7796								// evaluation.
7797								"key"?: null | bool | number | string | [...] | {
7798									...
7799								}
7800
7801								// Message is an optional display message
7802								"message"?: string
7803
7804								// Operator is the conditional operation to perform. Valid
7805								// operators are:
7806								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
7807								// GreaterThanOrEquals,
7808								// GreaterThan, LessThanOrEquals, LessThan,
7809								// DurationGreaterThanOrEquals, DurationGreaterThan,
7810								// DurationLessThanOrEquals, DurationLessThan
7811								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
7812
7813								// Value is the conditional value, or set of values. The values
7814								// can be fixed set
7815								// or can be variables declared using JMESPath.
7816								"value"?: null | bool | number | string | [...] | {
7817									...
7818								}
7819							}]
7820						}]
7821
7822						// Name is the variable name.
7823						"name"?: string
7824
7825						// Deprecated in favour of 'Type', to be removed soon
7826						"predicateType"?: string
7827
7828						// Type defines the type of attestation contained within the
7829						// Statement.
7830						"type"?: string
7831					}]
7832
7833					// Attestors specified the required attestors (i.e. authorities)
7834					"attestors"?: [...{
7835						// Count specifies the required number of entries that must match.
7836						// If the count is null, all entries must match
7837						// (a logical AND). If the count is 1, at least one entry must
7838						// match (a logical OR). If the count contains a
7839						// value N, then N must be less than or equal to the size of
7840						// entries, and at least N entries must match.
7841						"count"?: int & >=1
7842
7843						// Entries contains the available attestors. An attestor can be a
7844						// static key,
7845						// attributes for keyless verification, or a nested attestor
7846						// declaration.
7847						"entries"?: [...{
7848							// Annotations are used for image verification.
7849							// Every specified key-value pair must exist and match in the
7850							// verified payload.
7851							// The payload may contain other key-value pairs.
7852							"annotations"?: [string]: string
7853
7854							// Attestor is a nested set of Attestor used to specify a more
7855							// complex set of match authorities.
7856							"attestor"?: null | bool | number | string | [...] | {
7857								...
7858							}
7859
7860							// Certificates specifies one or more certificates.
7861							"certificates"?: {
7862								// Cert is an optional PEM-encoded public certificate.
7863								"cert"?: string
7864
7865								// CertChain is an optional PEM encoded set of certificates used
7866								// to verify.
7867								"certChain"?: string
7868
7869								// CTLog (certificate timestamp log) provides a configuration for
7870								// validation of Signed Certificate
7871								// Timestamps (SCTs). If the value is unset, the default behavior
7872								// by Cosign is used.
7873								"ctlog"?: {
7874									// IgnoreSCT defines whether to use the Signed Certificate
7875									// Timestamp (SCT) log to check for a certificate
7876									// timestamp. Default is false. Set to true if this was opted out
7877									// during signing.
7878									"ignoreSCT"?: bool
7879
7880									// PubKey, if set, is used to validate SCTs against a custom
7881									// source.
7882									"pubkey"?: string
7883
7884									// TSACertChain, if set, is the PEM-encoded certificate chain file
7885									// for the RFC3161 timestamp authority. Must
7886									// contain the root CA certificate. Optionally may contain
7887									// intermediate CA certificates, and
7888									// may contain the leaf TSA certificate if not present in the
7889									// timestamurce.
7890									"tsaCertChain"?: string
7891								}
7892
7893								// Rekor provides configuration for the Rekor transparency log
7894								// service. If an empty object
7895								// is provided the public instance of Rekor
7896								// (https://rekor.sigstore.dev) is used.
7897								"rekor"?: {
7898									// IgnoreTlog skips transparency log verification.
7899									"ignoreTlog"?: bool
7900
7901									// RekorPubKey is an optional PEM-encoded public key to use for a
7902									// custom Rekor.
7903									// If set, this will be used to validate transparency log
7904									// signatures from a custom Rekor.
7905									"pubkey"?: string
7906
7907									// URL is the address of the transparency log. Defaults to the
7908									// public Rekor log instance https://rekor.sigstore.dev.
7909									"url"?: string
7910								}
7911							}
7912
7913							// Keyless is a set of attribute used to verify a Sigstore keyless
7914							// attestor.
7915							// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
7916							"keyless"?: {
7917								// AdditionalExtensions are certificate-extensions used for
7918								// keyless signing.
7919								"additionalExtensions"?: [string]: string
7920
7921								// CTLog (certificate timestamp log) provides a configuration for
7922								// validation of Signed Certificate
7923								// Timestamps (SCTs). If the value is unset, the default behavior
7924								// by Cosign is used.
7925								"ctlog"?: {
7926									// IgnoreSCT defines whether to use the Signed Certificate
7927									// Timestamp (SCT) log to check for a certificate
7928									// timestamp. Default is false. Set to true if this was opted out
7929									// during signing.
7930									"ignoreSCT"?: bool
7931
7932									// PubKey, if set, is used to validate SCTs against a custom
7933									// source.
7934									"pubkey"?: string
7935
7936									// TSACertChain, if set, is the PEM-encoded certificate chain file
7937									// for the RFC3161 timestamp authority. Must
7938									// contain the root CA certificate. Optionally may contain
7939									// intermediate CA certificates, and
7940									// may contain the leaf TSA certificate if not present in the
7941									// timestamurce.
7942									"tsaCertChain"?: string
7943								}
7944
7945								// Issuer is the certificate issuer used for keyless signing.
7946								"issuer"?: string
7947
7948								// IssuerRegExp is the regular expression to match certificate
7949								// issuer used for keyless signing.
7950								"issuerRegExp"?: string
7951
7952								// Rekor provides configuration for the Rekor transparency log
7953								// service. If an empty object
7954								// is provided the public instance of Rekor
7955								// (https://rekor.sigstore.dev) is used.
7956								"rekor"?: {
7957									// IgnoreTlog skips transparency log verification.
7958									"ignoreTlog"?: bool
7959
7960									// RekorPubKey is an optional PEM-encoded public key to use for a
7961									// custom Rekor.
7962									// If set, this will be used to validate transparency log
7963									// signatures from a custom Rekor.
7964									"pubkey"?: string
7965
7966									// URL is the address of the transparency log. Defaults to the
7967									// public Rekor log instance https://rekor.sigstore.dev.
7968									"url"?: string
7969								}
7970
7971								// Roots is an optional set of PEM encoded trusted root
7972								// certificates.
7973								// If not provided, the system roots are used.
7974								"roots"?: string
7975
7976								// Subject is the verified identity used for keyless signing, for
7977								// example the email address.
7978								"subject"?: string
7979
7980								// SubjectRegExp is the regular expression to match identity used
7981								// for keyless signing, for example the email address.
7982								"subjectRegExp"?: string
7983							}
7984
7985							// Keys specifies one or more public keys.
7986							"keys"?: {
7987								// CTLog (certificate timestamp log) provides a configuration for
7988								// validation of Signed Certificate
7989								// Timestamps (SCTs). If the value is unset, the default behavior
7990								// by Cosign is used.
7991								"ctlog"?: {
7992									// IgnoreSCT defines whether to use the Signed Certificate
7993									// Timestamp (SCT) log to check for a certificate
7994									// timestamp. Default is false. Set to true if this was opted out
7995									// during signing.
7996									"ignoreSCT"?: bool
7997
7998									// PubKey, if set, is used to validate SCTs against a custom
7999									// source.
8000									"pubkey"?: string
8001
8002									// TSACertChain, if set, is the PEM-encoded certificate chain file
8003									// for the RFC3161 timestamp authority. Must
8004									// contain the root CA certificate. Optionally may contain
8005									// intermediate CA certificates, and
8006									// may contain the leaf TSA certificate if not present in the
8007									// timestamurce.
8008									"tsaCertChain"?: string
8009								}
8010
8011								// KMS provides the URI to the public key stored in a Key
8012								// Management System. See:
8013								// https://github.com/sigstore/cosign/blob/main/KMS.md
8014								"kms"?: string
8015
8016								// Keys is a set of X.509 public keys used to verify image
8017								// signatures. The keys can be directly
8018								// specified or can be a variable reference to a key specified in
8019								// a ConfigMap (see
8020								// https://kyverno.io/docs/writing-policies/variables/), or
8021								// reference a standard Kubernetes Secret
8022								// elsewhere in the cluster by specifying it in the format
8023								// "k8s://<namespace>/<secret_name>".
8024								// The named Secret must specify a key `cosign.pub` containing the
8025								// public key used for
8026								// verification, (see
8027								// https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
8028								// When multiple keys are specified each key is processed as a
8029								// separate staticKey entry
8030								// (.attestors[*].entries.keys) within the set of attestors and
8031								// the count is applied across the keys.
8032								"publicKeys"?: string
8033
8034								// Rekor provides configuration for the Rekor transparency log
8035								// service. If an empty object
8036								// is provided the public instance of Rekor
8037								// (https://rekor.sigstore.dev) is used.
8038								"rekor"?: {
8039									// IgnoreTlog skips transparency log verification.
8040									"ignoreTlog"?: bool
8041
8042									// RekorPubKey is an optional PEM-encoded public key to use for a
8043									// custom Rekor.
8044									// If set, this will be used to validate transparency log
8045									// signatures from a custom Rekor.
8046									"pubkey"?: string
8047
8048									// URL is the address of the transparency log. Defaults to the
8049									// public Rekor log instance https://rekor.sigstore.dev.
8050									"url"?: string
8051								}
8052
8053								// Reference to a Secret resource that contains a public key
8054								"secret"?: {
8055									// Name of the secret. The provided secret must contain a key
8056									// named cosign.pub.
8057									"name"!: string
8058
8059									// Namespace name where the Secret exists.
8060									"namespace"!: string
8061								}
8062
8063								// Deprecated. Use attestor.signatureAlgorithm instead.
8064								"signatureAlgorithm"?: string
8065							}
8066
8067							// Repository is an optional alternate OCI repository to use for
8068							// signatures and attestations that match this rule.
8069							// If specified Repository will override other OCI image
8070							// repository locations for this Attestor.
8071							"repository"?: string
8072
8073							// Specify signature algorithm for public keys. Supported values
8074							// are sha224, sha256, sha384 and sha512.
8075							"signatureAlgorithm"?: string
8076						}]
8077					}]
8078
8079					// CosignOCI11 enables the experimental OCI 1.1 behaviour in
8080					// cosign image verification.
8081					// Defaults to false.
8082					"cosignOCI11"?: bool
8083
8084					// Allowed values are Audit or Enforce.
8085					"failureAction"?: "Audit" | "Enforce"
8086
8087					// Deprecated. Use ImageReferences instead.
8088					"image"?: string
8089
8090					// ImageReferences is a list of matching image reference patterns.
8091					// At least one pattern in the
8092					// list must match the image for the rule to apply. Each image
8093					// reference consists of a registry
8094					// address (defaults to docker.io), repository, image, and tag
8095					// (defaults to latest).
8096					// Wildcards ('*' and '?') are allowed. See:
8097					// https://kubernetes.io/docs/concepts/containers/images.
8098					"imageReferences"?: [...string]
8099
8100					// ImageRegistryCredentials provides credentials that will be used
8101					// for authentication with registry.
8102					"imageRegistryCredentials"?: {
8103						// AllowInsecureRegistry allows insecure access to a registry.
8104						"allowInsecureRegistry"?: bool
8105
8106						// Providers specifies a list of OCI Registry names, whose
8107						// authentication providers are provided.
8108						// It can be of one of these values:
8109						// default,google,azure,amazon,github.
8110						"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
8111
8112						// Secrets specifies a list of secrets that are provided for
8113						// credentials.
8114						// Secrets must live in the Kyverno namespace.
8115						"secrets"?: [...string]
8116					}
8117
8118					// Deprecated. Use KeylessAttestor instead.
8119					"issuer"?: string
8120
8121					// Deprecated. Use StaticKeyAttestor instead.
8122					"key"?: string
8123
8124					// MutateDigest enables replacement of image tags with digests.
8125					// Defaults to true.
8126					"mutateDigest"?: bool
8127
8128					// Repository is an optional alternate OCI repository to use for
8129					// image signatures and attestations that match this rule.
8130					// If specified Repository will override the default OCI image
8131					// repository configured for the installation.
8132					// The repository can also be overridden per Attestor or
8133					// Attestation.
8134					"repository"?: string
8135
8136					// Required validates that images are verified i.e. have matched
8137					// passed a signature or attestation check.
8138					"required"?: bool
8139
8140					// Deprecated. Use KeylessAttestor instead.
8141					"roots"?: string
8142
8143					// SkipImageReferences is a list of matching image reference
8144					// patterns that should be skipped.
8145					// At least one pattern in the list must match the image for the
8146					// rule to be skipped. Each image reference
8147					// consists of a registry address (defaults to docker.io),
8148					// repository, image, and tag (defaults to latest).
8149					// Wildcards ('*' and '?') are allowed. See:
8150					// https://kubernetes.io/docs/concepts/containers/images.
8151					"skipImageReferences"?: [...string]
8152
8153					// Deprecated. Use KeylessAttestor instead.
8154					"subject"?: string
8155
8156					// Type specifies the method of signature validation. The allowed
8157					// options
8158					// are Cosign, Sigstore Bundle and Notary. By default Cosign is
8159					// used if a type is not specified.
8160					"type"?: "Cosign" | "SigstoreBundle" | "Notary"
8161
8162					// UseCache enables caching of image verify responses for this
8163					// rule.
8164					"useCache"?: bool
8165
8166					// Validation checks conditions across multiple image
8167					// verification attestations or context entries
8168					"validate"?: {
8169						// Deny defines conditions used to pass or fail a validation rule.
8170						"deny"?: {
8171							// Multiple conditions can be declared under an `any` or `all`
8172							// statement. A direct list
8173							// of conditions (without `any` or `all` statements) is also
8174							// supported for backwards compatibility
8175							// but will be deprecated in the next major release.
8176							// See:
8177							// https://kyverno.io/docs/writing-policies/validate/#deny-rules
8178							"conditions"?: null | bool | number | string | [...] | {
8179								...
8180							}
8181						}
8182
8183						// Message specifies a custom message to be displayed on failure.
8184						"message"?: string
8185					}
8186
8187					// VerifyDigest validates that images have a digest.
8188					"verifyDigest"?: bool
8189				}]
8190			}]
8191		}
8192		"conditions"?: [...{
8193			// lastTransitionTime is the last time the condition transitioned
8194			// from one status to another.
8195			// This should be when the underlying condition changed. If that
8196			// is not known, then using the time when the API field changed
8197			// is acceptable.
8198			"lastTransitionTime"!: time.Time
8199
8200			// message is a human readable message indicating details about
8201			// the transition.
8202			// This may be an empty string.
8203			"message"!: strings.MaxRunes(
8204					32768)
8205
8206			// observedGeneration represents the .metadata.generation that the
8207			// condition was set based upon.
8208			// For instance, if .metadata.generation is currently 12, but the
8209			// .status.conditions[x].observedGeneration is 9, the condition
8210			// is out of date
8211			// with respect to the current state of the instance.
8212			"observedGeneration"?: int64 & int & >=0
8213
8214			// reason contains a programmatic identifier indicating the reason
8215			// for the condition's last transition.
8216			// Producers of specific condition types may define expected
8217			// values and meanings for this field,
8218			// and whether the values are considered a guaranteed API.
8219			// The value should be a CamelCase string.
8220			// This field may not be empty.
8221			"reason"!: strings.MaxRunes(
8222					1024) & strings.MinRunes(
8223					1) & =~"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"
8224
8225			// status of the condition, one of True, False, Unknown.
8226			"status"!: "True" | "False" | "Unknown"
8227
8228			// type of condition in CamelCase or in foo.example.com/CamelCase.
8229			"type"!: strings.MaxRunes(
8230					316) & =~"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"
8231		}]
8232
8233		// Deprecated in favor of Conditions
8234		"ready"?: bool
8235
8236		// RuleCountStatus contains four variables which describes counts
8237		// for
8238		// validate, generate, mutate and verify images rules
8239		"rulecount"?: {
8240			// Count for generate rules in policy
8241			"generate"!: int
8242
8243			// Count for mutate rules in policy
8244			"mutate"!: int
8245
8246			// Count for validate rules in policy
8247			"validate"!: int
8248
8249			// Count for verify image rules in policy
8250			"verifyimages"!: int
8251		}
8252
8253		// ValidatingAdmissionPolicy contains status information
8254		"validatingadmissionpolicy"?: {
8255			// Generated indicates whether a validating admission policy is
8256			// generated from the policy or not
8257			"generated"!: bool
8258
8259			// Message is a human readable message indicating details about
8260			// the generation of validating admission policy
8261			// It is an empty string when validating admission policy is
8262			// successfully generated.
8263			"message"!: string
8264		}
8265	}
8266
8267	_embeddedResource: {
8268		"apiVersion"!: string
8269		"kind"!:       string
8270		"metadata"?: {
8271			...
8272		}
8273	}
8274	apiVersion: "kyverno.io/v1"
8275	kind:       "ClusterPolicy"
8276	metadata!: {
8277		"name"!:      string
8278		"namespace"?: string
8279		"labels"?: {
8280			[string]: string
8281		}
8282		"annotations"?: {
8283			[string]: string
8284		}
8285		...
8286	}
8287}