cue.dev/x/kyverno@v0.4.0

clusterpolicy/v2beta1/schema.cue raw

   1package v2beta1
   2
   3import (
   4	"strings"
   5	"time"
   6)
   7
   8// ClusterPolicy declares validation, mutation, and generation
   9// behaviors for matching resources.
  10#ClusterPolicy: {
  11	_embeddedResource
  12
  13	// APIVersion defines the versioned schema of this representation
  14	// of an object.
  15	// Servers should convert recognized schemas to the latest
  16	// internal value, and
  17	// may reject unrecognized values.
  18	// More info:
  19	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  20	"apiVersion"?: string
  21
  22	// Kind is a string value representing the REST resource this
  23	// object represents.
  24	// Servers may infer this from the endpoint the client submits
  25	// requests to.
  26	// Cannot be updated.
  27	// In CamelCase.
  28	// More info:
  29	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  30	"kind"?: string
  31	"metadata"?: {}
  32
  33	// Spec declares policy behaviors.
  34	"spec"!: {
  35		// Admission controls if rules are applied during admission.
  36		// Optional. Default value is "true".
  37		"admission"?: bool
  38
  39		// ApplyRules controls how rules in a policy are applied. Rule are
  40		// processed in
  41		// the order of declaration. When set to `One` processing stops
  42		// after a rule has
  43		// been applied i.e. the rule matches and results in a pass, fail,
  44		// or error. When
  45		// set to `All` all rules in the policy are processed. The default
  46		// is `All`.
  47		"applyRules"?: "All" | "One"
  48
  49		// Background controls if rules are applied to existing resources
  50		// during a background scan.
  51		// Optional. Default value is "true". The value must be set to
  52		// "false" if the policy rule
  53		// uses variables that are only available in the admission review
  54		// request (e.g. user name).
  55		"background"?: bool
  56
  57		// EmitWarning enables API response warnings for mutate policy
  58		// rules or validate policy rules with validationFailureAction
  59		// set to Audit.
  60		// Enabling this option will extend admission request processing
  61		// times. The default value is "false".
  62		"emitWarning"?: bool
  63
  64		// Deprecated, use failurePolicy under the webhookConfiguration
  65		// instead.
  66		"failurePolicy"?: "Ignore" | "Fail"
  67
  68		// Deprecated, use generateExisting under the generate rule
  69		// instead
  70		"generateExisting"?: bool
  71
  72		// Deprecated, use generateExisting instead
  73		"generateExistingOnPolicyUpdate"?: bool
  74
  75		// Deprecated, use mutateExistingOnPolicyUpdate under the mutate
  76		// rule instead
  77		"mutateExistingOnPolicyUpdate"?: bool
  78
  79		// Rules is a list of Rule instances. A Policy contains multiple
  80		// rules and
  81		// each rule can validate, mutate, or generate resources.
  82		"rules"?: [...{
  83			// CELPreconditions are used to determine if a policy rule should
  84			// be applied by evaluating a
  85			// set of CEL conditions. It can only be used with the
  86			// validate.cel subrule
  87			"celPreconditions"?: [...{
  88				// Expression represents the expression which will be evaluated by
  89				// CEL. Must evaluate to bool.
  90				// CEL expressions have access to the contents of the
  91				// AdmissionRequest and Authorizer, organized into CEL variables:
  92				//
  93				// 'object' - The object from the incoming request. The value is
  94				// null for DELETE requests.
  95				// 'oldObject' - The existing object. The value is null for CREATE
  96				// requests.
  97				// 'request' - Attributes of the admission
  98				// request(/pkg/apis/admission/types.go#AdmissionRequest).
  99				// 'authorizer' - A CEL Authorizer. May be used to perform
 100				// authorization checks for the principal (user or service
 101				// account) of the request.
 102				// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
 103				// 'authorizer.requestResource' - A CEL ResourceCheck constructed
 104				// from the 'authorizer' and configured with the
 105				// request resource.
 106				// Documentation on CEL:
 107				// https://kubernetes.io/docs/reference/using-api/cel/
 108				//
 109				// Required.
 110				"expression"!: string
 111
 112				// Name is an identifier for this match condition, used for
 113				// strategic merging of MatchConditions,
 114				// as well as providing an identifier for logging purposes. A good
 115				// name should be descriptive of
 116				// the associated expression.
 117				// Name must be a qualified name consisting of alphanumeric
 118				// characters, '-', '_' or '.', and
 119				// must start and end with an alphanumeric character (e.g.
 120				// 'MyName', or 'my.name', or
 121				// '123-abc', regex used for validation is
 122				// '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
 123				// optional DNS subdomain prefix and '/' (e.g.
 124				// 'example.com/MyName')
 125				//
 126				// Required.
 127				"name"!: string
 128			}]
 129
 130			// Context defines variables and data sources that can be used
 131			// during rule execution.
 132			"context"?: [...matchN(1, [{
 133				"configMap"!: _
 134			}, {
 135				"apiCall"!: _
 136			}, {
 137				"imageRegistry"!: _
 138			}, {
 139				"variable"!: _
 140			}, {
 141				"globalReference"!: _
 142			}]) & {
 143				// APICall is an HTTP request to the Kubernetes API server, or
 144				// other JSON web service.
 145				// The data returned is stored in the context with the name for
 146				// the context entry.
 147				"apiCall"?: {
 148					// The data object specifies the POST data sent to the server.
 149					// Only applicable when the method field is set to POST.
 150					"data"?: [...{
 151						// Key is a unique identifier for the data value
 152						"key"!: string
 153
 154						// Value is the data value
 155						"value"!: null | bool | number | string | [...] | {
 156							...
 157						}
 158					}]
 159
 160					// Default is an optional arbitrary JSON object that the context
 161					// value is set to, if the apiCall returns error.
 162					"default"?: null | bool | number | string | [...] | {
 163						...
 164					}
 165
 166					// JMESPath is an optional JSON Match Expression that can be used
 167					// to
 168					// transform the JSON response returned from the server. For
 169					// example
 170					// a JMESPath of "items | length(@)" applied to the API server
 171					// response
 172					// for the URLPath "/apis/apps/v1/deployments" will return the
 173					// total count
 174					// of deployments across all namespaces.
 175					"jmesPath"?: string
 176
 177					// Method is the HTTP request type (GET or POST). Defaults to GET.
 178					"method"?: "GET" | "POST"
 179
 180					// Service is an API call to a JSON web service.
 181					// This is used for non-Kubernetes API server calls.
 182					// It's mutually exclusive with the URLPath field.
 183					"service"?: {
 184						// CABundle is a PEM encoded CA bundle which will be used to
 185						// validate
 186						// the server certificate.
 187						"caBundle"?: string
 188
 189						// Headers is a list of optional HTTP headers to be included in
 190						// the request.
 191						"headers"?: [...{
 192							// Key is the header key
 193							"key"!: string
 194
 195							// Value is the header value
 196							"value"!: string
 197						}]
 198
 199						// URL is the JSON web service URL. A typical form is
 200						// `https://{service}.{namespace}:{port}/{path}`.
 201						"url"!: string
 202					}
 203
 204					// URLPath is the URL path to be used in the HTTP GET or POST
 205					// request to the
 206					// Kubernetes API server (e.g. "/api/v1/namespaces" or
 207					// "/apis/apps/v1/deployments").
 208					// The format required is the same format used by the `kubectl get
 209					// --raw` command.
 210					// See
 211					// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
 212					// for details.
 213					// It's mutually exclusive with the Service field.
 214					"urlPath"?: string
 215				}
 216
 217				// ConfigMap is the ConfigMap reference.
 218				"configMap"?: {
 219					// Name is the ConfigMap name.
 220					"name"!: string
 221
 222					// Namespace is the ConfigMap namespace.
 223					"namespace"?: string
 224				}
 225
 226				// GlobalContextEntryReference is a reference to a cached global
 227				// context entry.
 228				"globalReference"?: {
 229					// JMESPath is an optional JSON Match Expression that can be used
 230					// to
 231					// transform the JSON response returned from the server. For
 232					// example
 233					// a JMESPath of "items | length(@)" applied to the API server
 234					// response
 235					// for the URLPath "/apis/apps/v1/deployments" will return the
 236					// total count
 237					// of deployments across all namespaces.
 238					"jmesPath"?: string
 239
 240					// Name of the global context entry
 241					"name"!: string
 242				}
 243
 244				// ImageRegistry defines requests to an OCI/Docker V2 registry to
 245				// fetch image
 246				// details.
 247				"imageRegistry"?: {
 248					// ImageRegistryCredentials provides credentials that will be used
 249					// for authentication with registry
 250					"imageRegistryCredentials"?: {
 251						// AllowInsecureRegistry allows insecure access to a registry.
 252						"allowInsecureRegistry"?: bool
 253
 254						// Providers specifies a list of OCI Registry names, whose
 255						// authentication providers are provided.
 256						// It can be of one of these values:
 257						// default,google,azure,amazon,github.
 258						"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
 259
 260						// Secrets specifies a list of secrets that are provided for
 261						// credentials.
 262						// Secrets must live in the Kyverno namespace.
 263						"secrets"?: [...string]
 264					}
 265
 266					// JMESPath is an optional JSON Match Expression that can be used
 267					// to
 268					// transform the ImageData struct returned as a result of
 269					// processing
 270					// the image reference.
 271					"jmesPath"?: string
 272
 273					// Reference is image reference to a container image in the
 274					// registry.
 275					// Example: ghcr.io/kyverno/kyverno:latest
 276					"reference"!: string
 277				}
 278
 279				// Name is the variable name.
 280				"name"!: string
 281
 282				// Variable defines an arbitrary JMESPath context variable that
 283				// can be defined inline.
 284				"variable"?: {
 285					// Default is an optional arbitrary JSON object that the variable
 286					// may take if the JMESPath
 287					// expression evaluates to nil
 288					"default"?: null | bool | number | string | [...] | {
 289						...
 290					}
 291
 292					// JMESPath is an optional JMESPath Expression that can be used to
 293					// transform the variable.
 294					"jmesPath"?: string
 295
 296					// Value is any arbitrary JSON object representable in YAML or
 297					// JSON form.
 298					"value"?: null | bool | number | string | [...] | {
 299						...
 300					}
 301				}
 302			}]
 303
 304			// ExcludeResources defines when this policy rule should not be
 305			// applied. The exclude
 306			// criteria can include resource information (e.g. kind, name,
 307			// namespace, labels)
 308			// and admission review request information like the name or role.
 309			"exclude"?: matchN(0, [null | bool | number | string | [...] | {
 310				"any"!: _
 311				"all"!: _
 312			}]) & {
 313				// All allows specifying resources which will be ANDed
 314				"all"?: [...{
 315					// ClusterRoles is the list of cluster-wide role names for the
 316					// user.
 317					"clusterRoles"?: [...string]
 318
 319					// ResourceDescription contains information about the resource
 320					// being created or modified.
 321					"resources"?: matchN(0, [null | bool | number | string | [...] | {
 322						"name"!:  _
 323						"names"!: _
 324					}]) & {
 325						// Annotations is a map of annotations (key-value pairs of type
 326						// string). Annotation keys
 327						// and values support the wildcard characters "*" (matches zero or
 328						// many characters) and
 329						// "?" (matches at least one character).
 330						"annotations"?: [string]: string
 331
 332						// Kinds is a list of resource kinds.
 333						"kinds"?: [...string]
 334
 335						// Name is the name of the resource. The name supports wildcard
 336						// characters
 337						// "*" (matches zero or many characters) and "?" (at least one
 338						// character).
 339						// NOTE: "Name" is being deprecated in favor of "Names".
 340						"name"?: string
 341
 342						// Names are the names of the resources. Each name supports
 343						// wildcard characters
 344						// "*" (matches zero or many characters) and "?" (at least one
 345						// character).
 346						"names"?: [...string]
 347
 348						// NamespaceSelector is a label selector for the resource
 349						// namespace. Label keys and values
 350						// in `matchLabels` support the wildcard characters `*` (matches
 351						// zero or many characters)
 352						// and `?` (matches one character).Wildcards allows writing label
 353						// selectors like
 354						// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
 355						// any key and value but
 356						// does not match an empty label set.
 357						"namespaceSelector"?: {
 358							// matchExpressions is a list of label selector requirements. The
 359							// requirements are ANDed.
 360							"matchExpressions"?: [...{
 361								// key is the label key that the selector applies to.
 362								"key"!: string
 363
 364								// operator represents a key's relationship to a set of values.
 365								// Valid operators are In, NotIn, Exists and DoesNotExist.
 366								"operator"!: string
 367
 368								// values is an array of string values. If the operator is In or
 369								// NotIn,
 370								// the values array must be non-empty. If the operator is Exists
 371								// or DoesNotExist,
 372								// the values array must be empty. This array is replaced during a
 373								// strategic
 374								// merge patch.
 375								"values"?: [...string]
 376							}]
 377
 378							// matchLabels is a map of {key,value} pairs. A single {key,value}
 379							// in the matchLabels
 380							// map is equivalent to an element of matchExpressions, whose key
 381							// field is "key", the
 382							// operator is "In", and the values array contains only "value".
 383							// The requirements are ANDed.
 384							"matchLabels"?: {
 385								[string]: string
 386							}
 387						}
 388
 389						// Namespaces is a list of namespaces names. Each name supports
 390						// wildcard characters
 391						// "*" (matches zero or many characters) and "?" (at least one
 392						// character).
 393						"namespaces"?: [...string]
 394
 395						// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
 396						// "DELETE"], which are used to match a specific action.
 397						"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
 398
 399						// Selector is a label selector. Label keys and values in
 400						// `matchLabels` support the wildcard
 401						// characters `*` (matches zero or many characters) and `?`
 402						// (matches one character).
 403						// Wildcards allows writing label selectors like
 404						// ["storage.k8s.io/*": "*"]. Note that
 405						// using ["*" : "*"] matches any key and value but does not match
 406						// an empty label set.
 407						"selector"?: {
 408							// matchExpressions is a list of label selector requirements. The
 409							// requirements are ANDed.
 410							"matchExpressions"?: [...{
 411								// key is the label key that the selector applies to.
 412								"key"!: string
 413
 414								// operator represents a key's relationship to a set of values.
 415								// Valid operators are In, NotIn, Exists and DoesNotExist.
 416								"operator"!: string
 417
 418								// values is an array of string values. If the operator is In or
 419								// NotIn,
 420								// the values array must be non-empty. If the operator is Exists
 421								// or DoesNotExist,
 422								// the values array must be empty. This array is replaced during a
 423								// strategic
 424								// merge patch.
 425								"values"?: [...string]
 426							}]
 427
 428							// matchLabels is a map of {key,value} pairs. A single {key,value}
 429							// in the matchLabels
 430							// map is equivalent to an element of matchExpressions, whose key
 431							// field is "key", the
 432							// operator is "In", and the values array contains only "value".
 433							// The requirements are ANDed.
 434							"matchLabels"?: {
 435								[string]: string
 436							}
 437						}
 438					}
 439
 440					// Roles is the list of namespaced role names for the user.
 441					"roles"?: [...string]
 442
 443					// Subjects is the list of subject names like users, user groups,
 444					// and service accounts.
 445					"subjects"?: [...{
 446						// APIGroup holds the API group of the referenced subject.
 447						// Defaults to "" for ServiceAccount subjects.
 448						// Defaults to "rbac.authorization.k8s.io" for User and Group
 449						// subjects.
 450						"apiGroup"?: string
 451
 452						// Kind of object being referenced. Values defined by this API
 453						// group are "User", "Group", and "ServiceAccount".
 454						// If the Authorizer does not recognized the kind value, the
 455						// Authorizer should report an error.
 456						"kind"!: string
 457
 458						// Name of the object being referenced.
 459						"name"!: string
 460
 461						// Namespace of the referenced object. If the object kind is
 462						// non-namespace, such as "User" or "Group", and this value is
 463						// not empty
 464						// the Authorizer should report an error.
 465						"namespace"?: string
 466					}]
 467				}]
 468
 469				// Any allows specifying resources which will be ORed
 470				"any"?: [...{
 471					// ClusterRoles is the list of cluster-wide role names for the
 472					// user.
 473					"clusterRoles"?: [...string]
 474
 475					// ResourceDescription contains information about the resource
 476					// being created or modified.
 477					"resources"?: matchN(0, [null | bool | number | string | [...] | {
 478						"name"!:  _
 479						"names"!: _
 480					}]) & {
 481						// Annotations is a map of annotations (key-value pairs of type
 482						// string). Annotation keys
 483						// and values support the wildcard characters "*" (matches zero or
 484						// many characters) and
 485						// "?" (matches at least one character).
 486						"annotations"?: [string]: string
 487
 488						// Kinds is a list of resource kinds.
 489						"kinds"?: [...string]
 490
 491						// Name is the name of the resource. The name supports wildcard
 492						// characters
 493						// "*" (matches zero or many characters) and "?" (at least one
 494						// character).
 495						// NOTE: "Name" is being deprecated in favor of "Names".
 496						"name"?: string
 497
 498						// Names are the names of the resources. Each name supports
 499						// wildcard characters
 500						// "*" (matches zero or many characters) and "?" (at least one
 501						// character).
 502						"names"?: [...string]
 503
 504						// NamespaceSelector is a label selector for the resource
 505						// namespace. Label keys and values
 506						// in `matchLabels` support the wildcard characters `*` (matches
 507						// zero or many characters)
 508						// and `?` (matches one character).Wildcards allows writing label
 509						// selectors like
 510						// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
 511						// any key and value but
 512						// does not match an empty label set.
 513						"namespaceSelector"?: {
 514							// matchExpressions is a list of label selector requirements. The
 515							// requirements are ANDed.
 516							"matchExpressions"?: [...{
 517								// key is the label key that the selector applies to.
 518								"key"!: string
 519
 520								// operator represents a key's relationship to a set of values.
 521								// Valid operators are In, NotIn, Exists and DoesNotExist.
 522								"operator"!: string
 523
 524								// values is an array of string values. If the operator is In or
 525								// NotIn,
 526								// the values array must be non-empty. If the operator is Exists
 527								// or DoesNotExist,
 528								// the values array must be empty. This array is replaced during a
 529								// strategic
 530								// merge patch.
 531								"values"?: [...string]
 532							}]
 533
 534							// matchLabels is a map of {key,value} pairs. A single {key,value}
 535							// in the matchLabels
 536							// map is equivalent to an element of matchExpressions, whose key
 537							// field is "key", the
 538							// operator is "In", and the values array contains only "value".
 539							// The requirements are ANDed.
 540							"matchLabels"?: {
 541								[string]: string
 542							}
 543						}
 544
 545						// Namespaces is a list of namespaces names. Each name supports
 546						// wildcard characters
 547						// "*" (matches zero or many characters) and "?" (at least one
 548						// character).
 549						"namespaces"?: [...string]
 550
 551						// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
 552						// "DELETE"], which are used to match a specific action.
 553						"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
 554
 555						// Selector is a label selector. Label keys and values in
 556						// `matchLabels` support the wildcard
 557						// characters `*` (matches zero or many characters) and `?`
 558						// (matches one character).
 559						// Wildcards allows writing label selectors like
 560						// ["storage.k8s.io/*": "*"]. Note that
 561						// using ["*" : "*"] matches any key and value but does not match
 562						// an empty label set.
 563						"selector"?: {
 564							// matchExpressions is a list of label selector requirements. The
 565							// requirements are ANDed.
 566							"matchExpressions"?: [...{
 567								// key is the label key that the selector applies to.
 568								"key"!: string
 569
 570								// operator represents a key's relationship to a set of values.
 571								// Valid operators are In, NotIn, Exists and DoesNotExist.
 572								"operator"!: string
 573
 574								// values is an array of string values. If the operator is In or
 575								// NotIn,
 576								// the values array must be non-empty. If the operator is Exists
 577								// or DoesNotExist,
 578								// the values array must be empty. This array is replaced during a
 579								// strategic
 580								// merge patch.
 581								"values"?: [...string]
 582							}]
 583
 584							// matchLabels is a map of {key,value} pairs. A single {key,value}
 585							// in the matchLabels
 586							// map is equivalent to an element of matchExpressions, whose key
 587							// field is "key", the
 588							// operator is "In", and the values array contains only "value".
 589							// The requirements are ANDed.
 590							"matchLabels"?: {
 591								[string]: string
 592							}
 593						}
 594					}
 595
 596					// Roles is the list of namespaced role names for the user.
 597					"roles"?: [...string]
 598
 599					// Subjects is the list of subject names like users, user groups,
 600					// and service accounts.
 601					"subjects"?: [...{
 602						// APIGroup holds the API group of the referenced subject.
 603						// Defaults to "" for ServiceAccount subjects.
 604						// Defaults to "rbac.authorization.k8s.io" for User and Group
 605						// subjects.
 606						"apiGroup"?: string
 607
 608						// Kind of object being referenced. Values defined by this API
 609						// group are "User", "Group", and "ServiceAccount".
 610						// If the Authorizer does not recognized the kind value, the
 611						// Authorizer should report an error.
 612						"kind"!: string
 613
 614						// Name of the object being referenced.
 615						"name"!: string
 616
 617						// Namespace of the referenced object. If the object kind is
 618						// non-namespace, such as "User" or "Group", and this value is
 619						// not empty
 620						// the Authorizer should report an error.
 621						"namespace"?: string
 622					}]
 623				}]
 624			}
 625
 626			// Generation is used to create new resources.
 627			"generate"?: {
 628				// APIVersion specifies resource apiVersion.
 629				"apiVersion"?: string
 630
 631				// Clone specifies the source resource used to populate each
 632				// generated resource.
 633				// At most one of Data or Clone can be specified. If neither are
 634				// provided, the generated
 635				// resource will be created with default data only.
 636				"clone"?: {
 637					// Name specifies name of the resource.
 638					"name"?: string
 639
 640					// Namespace specifies source resource namespace.
 641					"namespace"?: string
 642				}
 643
 644				// CloneList specifies the list of source resource used to
 645				// populate each generated resource.
 646				"cloneList"?: {
 647					// Kinds is a list of resource kinds.
 648					"kinds"?: [...string]
 649
 650					// Namespace specifies source resource namespace.
 651					"namespace"?: string
 652
 653					// Selector is a label selector. Label keys and values in
 654					// `matchLabels`.
 655					// wildcard characters are not supported.
 656					"selector"?: {
 657						// matchExpressions is a list of label selector requirements. The
 658						// requirements are ANDed.
 659						"matchExpressions"?: [...{
 660							// key is the label key that the selector applies to.
 661							"key"!: string
 662
 663							// operator represents a key's relationship to a set of values.
 664							// Valid operators are In, NotIn, Exists and DoesNotExist.
 665							"operator"!: string
 666
 667							// values is an array of string values. If the operator is In or
 668							// NotIn,
 669							// the values array must be non-empty. If the operator is Exists
 670							// or DoesNotExist,
 671							// the values array must be empty. This array is replaced during a
 672							// strategic
 673							// merge patch.
 674							"values"?: [...string]
 675						}]
 676
 677						// matchLabels is a map of {key,value} pairs. A single {key,value}
 678						// in the matchLabels
 679						// map is equivalent to an element of matchExpressions, whose key
 680						// field is "key", the
 681						// operator is "In", and the values array contains only "value".
 682						// The requirements are ANDed.
 683						"matchLabels"?: {
 684							[string]: string
 685						}
 686					}
 687				}
 688
 689				// Data provides the resource declaration used to populate each
 690				// generated resource.
 691				// At most one of Data or Clone must be specified. If neither are
 692				// provided, the generated
 693				// resource will be created with default data only.
 694				"data"?: null | bool | number | string | [...] | {
 695					...
 696				}
 697
 698				// ForEach applies generate rules to a list of sub-elements by
 699				// creating a context for each entry in the list and looping over
 700				// it to apply the specified logic.
 701				"foreach"?: [...{
 702					// APIVersion specifies resource apiVersion.
 703					"apiVersion"?: string
 704
 705					// Clone specifies the source resource used to populate each
 706					// generated resource.
 707					// At most one of Data or Clone can be specified. If neither are
 708					// provided, the generated
 709					// resource will be created with default data only.
 710					"clone"?: {
 711						// Name specifies name of the resource.
 712						"name"?: string
 713
 714						// Namespace specifies source resource namespace.
 715						"namespace"?: string
 716					}
 717
 718					// CloneList specifies the list of source resource used to
 719					// populate each generated resource.
 720					"cloneList"?: {
 721						// Kinds is a list of resource kinds.
 722						"kinds"?: [...string]
 723
 724						// Namespace specifies source resource namespace.
 725						"namespace"?: string
 726
 727						// Selector is a label selector. Label keys and values in
 728						// `matchLabels`.
 729						// wildcard characters are not supported.
 730						"selector"?: {
 731							// matchExpressions is a list of label selector requirements. The
 732							// requirements are ANDed.
 733							"matchExpressions"?: [...{
 734								// key is the label key that the selector applies to.
 735								"key"!: string
 736
 737								// operator represents a key's relationship to a set of values.
 738								// Valid operators are In, NotIn, Exists and DoesNotExist.
 739								"operator"!: string
 740
 741								// values is an array of string values. If the operator is In or
 742								// NotIn,
 743								// the values array must be non-empty. If the operator is Exists
 744								// or DoesNotExist,
 745								// the values array must be empty. This array is replaced during a
 746								// strategic
 747								// merge patch.
 748								"values"?: [...string]
 749							}]
 750
 751							// matchLabels is a map of {key,value} pairs. A single {key,value}
 752							// in the matchLabels
 753							// map is equivalent to an element of matchExpressions, whose key
 754							// field is "key", the
 755							// operator is "In", and the values array contains only "value".
 756							// The requirements are ANDed.
 757							"matchLabels"?: {
 758								[string]: string
 759							}
 760						}
 761					}
 762
 763					// Context defines variables and data sources that can be used
 764					// during rule execution.
 765					"context"?: [...matchN(1, [{
 766						"configMap"!: _
 767					}, {
 768						"apiCall"!: _
 769					}, {
 770						"imageRegistry"!: _
 771					}, {
 772						"variable"!: _
 773					}, {
 774						"globalReference"!: _
 775					}]) & {
 776						// APICall is an HTTP request to the Kubernetes API server, or
 777						// other JSON web service.
 778						// The data returned is stored in the context with the name for
 779						// the context entry.
 780						"apiCall"?: {
 781							// The data object specifies the POST data sent to the server.
 782							// Only applicable when the method field is set to POST.
 783							"data"?: [...{
 784								// Key is a unique identifier for the data value
 785								"key"!: string
 786
 787								// Value is the data value
 788								"value"!: null | bool | number | string | [...] | {
 789									...
 790								}
 791							}]
 792
 793							// Default is an optional arbitrary JSON object that the context
 794							// value is set to, if the apiCall returns error.
 795							"default"?: null | bool | number | string | [...] | {
 796								...
 797							}
 798
 799							// JMESPath is an optional JSON Match Expression that can be used
 800							// to
 801							// transform the JSON response returned from the server. For
 802							// example
 803							// a JMESPath of "items | length(@)" applied to the API server
 804							// response
 805							// for the URLPath "/apis/apps/v1/deployments" will return the
 806							// total count
 807							// of deployments across all namespaces.
 808							"jmesPath"?: string
 809
 810							// Method is the HTTP request type (GET or POST). Defaults to GET.
 811							"method"?: "GET" | "POST"
 812
 813							// Service is an API call to a JSON web service.
 814							// This is used for non-Kubernetes API server calls.
 815							// It's mutually exclusive with the URLPath field.
 816							"service"?: {
 817								// CABundle is a PEM encoded CA bundle which will be used to
 818								// validate
 819								// the server certificate.
 820								"caBundle"?: string
 821
 822								// Headers is a list of optional HTTP headers to be included in
 823								// the request.
 824								"headers"?: [...{
 825									// Key is the header key
 826									"key"!: string
 827
 828									// Value is the header value
 829									"value"!: string
 830								}]
 831
 832								// URL is the JSON web service URL. A typical form is
 833								// `https://{service}.{namespace}:{port}/{path}`.
 834								"url"!: string
 835							}
 836
 837							// URLPath is the URL path to be used in the HTTP GET or POST
 838							// request to the
 839							// Kubernetes API server (e.g. "/api/v1/namespaces" or
 840							// "/apis/apps/v1/deployments").
 841							// The format required is the same format used by the `kubectl get
 842							// --raw` command.
 843							// See
 844							// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
 845							// for details.
 846							// It's mutually exclusive with the Service field.
 847							"urlPath"?: string
 848						}
 849
 850						// ConfigMap is the ConfigMap reference.
 851						"configMap"?: {
 852							// Name is the ConfigMap name.
 853							"name"!: string
 854
 855							// Namespace is the ConfigMap namespace.
 856							"namespace"?: string
 857						}
 858
 859						// GlobalContextEntryReference is a reference to a cached global
 860						// context entry.
 861						"globalReference"?: {
 862							// JMESPath is an optional JSON Match Expression that can be used
 863							// to
 864							// transform the JSON response returned from the server. For
 865							// example
 866							// a JMESPath of "items | length(@)" applied to the API server
 867							// response
 868							// for the URLPath "/apis/apps/v1/deployments" will return the
 869							// total count
 870							// of deployments across all namespaces.
 871							"jmesPath"?: string
 872
 873							// Name of the global context entry
 874							"name"!: string
 875						}
 876
 877						// ImageRegistry defines requests to an OCI/Docker V2 registry to
 878						// fetch image
 879						// details.
 880						"imageRegistry"?: {
 881							// ImageRegistryCredentials provides credentials that will be used
 882							// for authentication with registry
 883							"imageRegistryCredentials"?: {
 884								// AllowInsecureRegistry allows insecure access to a registry.
 885								"allowInsecureRegistry"?: bool
 886
 887								// Providers specifies a list of OCI Registry names, whose
 888								// authentication providers are provided.
 889								// It can be of one of these values:
 890								// default,google,azure,amazon,github.
 891								"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
 892
 893								// Secrets specifies a list of secrets that are provided for
 894								// credentials.
 895								// Secrets must live in the Kyverno namespace.
 896								"secrets"?: [...string]
 897							}
 898
 899							// JMESPath is an optional JSON Match Expression that can be used
 900							// to
 901							// transform the ImageData struct returned as a result of
 902							// processing
 903							// the image reference.
 904							"jmesPath"?: string
 905
 906							// Reference is image reference to a container image in the
 907							// registry.
 908							// Example: ghcr.io/kyverno/kyverno:latest
 909							"reference"!: string
 910						}
 911
 912						// Name is the variable name.
 913						"name"!: string
 914
 915						// Variable defines an arbitrary JMESPath context variable that
 916						// can be defined inline.
 917						"variable"?: {
 918							// Default is an optional arbitrary JSON object that the variable
 919							// may take if the JMESPath
 920							// expression evaluates to nil
 921							"default"?: null | bool | number | string | [...] | {
 922								...
 923							}
 924
 925							// JMESPath is an optional JMESPath Expression that can be used to
 926							// transform the variable.
 927							"jmesPath"?: string
 928
 929							// Value is any arbitrary JSON object representable in YAML or
 930							// JSON form.
 931							"value"?: null | bool | number | string | [...] | {
 932								...
 933							}
 934						}
 935					}]
 936
 937					// Data provides the resource declaration used to populate each
 938					// generated resource.
 939					// At most one of Data or Clone must be specified. If neither are
 940					// provided, the generated
 941					// resource will be created with default data only.
 942					"data"?: null | bool | number | string | [...] | {
 943						...
 944					}
 945
 946					// Kind specifies resource kind.
 947					"kind"?: string
 948
 949					// List specifies a JMESPath expression that results in one or
 950					// more elements
 951					// to which the validation logic is applied.
 952					"list"?: string
 953
 954					// Name specifies the resource name.
 955					"name"?: string
 956
 957					// Namespace specifies resource namespace.
 958					"namespace"?: string
 959
 960					// AnyAllConditions are used to determine if a policy rule should
 961					// be applied by evaluating a
 962					// set of conditions. The declaration can contain nested `any` or
 963					// `all` statements.
 964					// See: https://kyverno.io/docs/writing-policies/preconditions/
 965					"preconditions"?: {
 966						// AllConditions enable variable-based conditional rule execution.
 967						// This is useful for
 968						// finer control of when an rule is applied. A condition can
 969						// reference object data
 970						// using JMESPath notation.
 971						// Here, all of the conditions need to pass
 972						"all"?: [...{
 973							// Key is the context entry (using JMESPath) for conditional rule
 974							// evaluation.
 975							"key"?: null | bool | number | string | [...] | {
 976								...
 977							}
 978
 979							// Message is an optional display message
 980							"message"?: string
 981
 982							// Operator is the conditional operation to perform. Valid
 983							// operators are:
 984							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
 985							// GreaterThanOrEquals,
 986							// GreaterThan, LessThanOrEquals, LessThan,
 987							// DurationGreaterThanOrEquals, DurationGreaterThan,
 988							// DurationLessThanOrEquals, DurationLessThan
 989							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
 990
 991							// Value is the conditional value, or set of values. The values
 992							// can be fixed set
 993							// or can be variables declared using JMESPath.
 994							"value"?: null | bool | number | string | [...] | {
 995								...
 996							}
 997						}]
 998
 999						// AnyConditions enable variable-based conditional rule execution.
1000						// This is useful for
1001						// finer control of when an rule is applied. A condition can
1002						// reference object data
1003						// using JMESPath notation.
1004						// Here, at least one of the conditions need to pass
1005						"any"?: [...{
1006							// Key is the context entry (using JMESPath) for conditional rule
1007							// evaluation.
1008							"key"?: null | bool | number | string | [...] | {
1009								...
1010							}
1011
1012							// Message is an optional display message
1013							"message"?: string
1014
1015							// Operator is the conditional operation to perform. Valid
1016							// operators are:
1017							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
1018							// GreaterThanOrEquals,
1019							// GreaterThan, LessThanOrEquals, LessThan,
1020							// DurationGreaterThanOrEquals, DurationGreaterThan,
1021							// DurationLessThanOrEquals, DurationLessThan
1022							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
1023
1024							// Value is the conditional value, or set of values. The values
1025							// can be fixed set
1026							// or can be variables declared using JMESPath.
1027							"value"?: null | bool | number | string | [...] | {
1028								...
1029							}
1030						}]
1031						...
1032					}
1033
1034					// UID specifies the resource uid.
1035					"uid"?: string
1036				}]
1037
1038				// GenerateExisting controls whether to trigger the rule in
1039				// existing resources
1040				// If is set to "true" the rule will be triggered and applied to
1041				// existing matched resources.
1042				"generateExisting"?: bool
1043
1044				// Kind specifies resource kind.
1045				"kind"?: string
1046
1047				// Name specifies the resource name.
1048				"name"?: string
1049
1050				// Namespace specifies resource namespace.
1051				"namespace"?: string
1052
1053				// OrphanDownstreamOnPolicyDelete controls whether generated
1054				// resources should be deleted when the rule that generated
1055				// them is deleted with synchronization enabled. This option is
1056				// only applicable to generate rules of the data type.
1057				// See
1058				// https://kyverno.io/docs/writing-policies/generate/#data-examples.
1059				// Defaults to "false" if not specified.
1060				"orphanDownstreamOnPolicyDelete"?: bool
1061
1062				// Synchronize controls if generated resources should be kept
1063				// in-sync with their source resource.
1064				// If Synchronize is set to "true" changes to generated resources
1065				// will be overwritten with resource
1066				// data from Data or the resource specified in the Clone
1067				// declaration.
1068				// Optional. Defaults to "false" if not specified.
1069				"synchronize"?: bool
1070
1071				// UID specifies the resource uid.
1072				"uid"?: string
1073			}
1074
1075			// ImageExtractors defines a mapping from kinds to
1076			// ImageExtractorConfigs.
1077			// This config is only valid for verifyImages rules.
1078			"imageExtractors"?: {
1079				[string]: [...{
1080					// JMESPath is an optional JMESPath expression to apply to the
1081					// image value.
1082					// This is useful when the extracted image begins with a prefix
1083					// like 'docker://'.
1084					// The 'trim_prefix' function may be used to trim the prefix:
1085					// trim_prefix(@, 'docker://').
1086					// Note - Image digest mutation may not be used when applying a
1087					// JMESPAth to an image.
1088					"jmesPath"?: string
1089
1090					// Key is an optional name of the field within 'path' that will be
1091					// used to uniquely identify an image.
1092					// Note - this field MUST be unique.
1093					"key"?: string
1094
1095					// Name is the entry the image will be available under
1096					// 'images.<name>' in the context.
1097					// If this field is not defined, image entries will appear under
1098					// 'images.custom'.
1099					"name"?: string
1100
1101					// Path is the path to the object containing the image field in a
1102					// custom resource.
1103					// It should be slash-separated. Each slash-separated key must be
1104					// a valid YAML key or a wildcard '*'.
1105					// Wildcard keys are expanded in case of arrays or objects.
1106					"path"!: string
1107
1108					// Value is an optional name of the field within 'path' that
1109					// points to the image URI.
1110					// This is useful when a custom 'key' is also defined.
1111					"value"?: string
1112				}]
1113			}
1114
1115			// MatchResources defines when this policy rule should be applied.
1116			// The match
1117			// criteria can include resource information (e.g. kind, name,
1118			// namespace, labels)
1119			// and admission review request information like the user name or
1120			// role.
1121			// At least one kind is required.
1122			"match"!: matchN(0, [null | bool | number | string | [...] | {
1123				"any"!: _
1124				"all"!: _
1125			}]) & {
1126				// All allows specifying resources which will be ANDed
1127				"all"?: [...{
1128					// ClusterRoles is the list of cluster-wide role names for the
1129					// user.
1130					"clusterRoles"?: [...string]
1131
1132					// ResourceDescription contains information about the resource
1133					// being created or modified.
1134					"resources"?: matchN(0, [null | bool | number | string | [...] | {
1135						"name"!:  _
1136						"names"!: _
1137					}]) & {
1138						// Annotations is a map of annotations (key-value pairs of type
1139						// string). Annotation keys
1140						// and values support the wildcard characters "*" (matches zero or
1141						// many characters) and
1142						// "?" (matches at least one character).
1143						"annotations"?: [string]: string
1144
1145						// Kinds is a list of resource kinds.
1146						"kinds"?: [...string]
1147
1148						// Name is the name of the resource. The name supports wildcard
1149						// characters
1150						// "*" (matches zero or many characters) and "?" (at least one
1151						// character).
1152						// NOTE: "Name" is being deprecated in favor of "Names".
1153						"name"?: string
1154
1155						// Names are the names of the resources. Each name supports
1156						// wildcard characters
1157						// "*" (matches zero or many characters) and "?" (at least one
1158						// character).
1159						"names"?: [...string]
1160
1161						// NamespaceSelector is a label selector for the resource
1162						// namespace. Label keys and values
1163						// in `matchLabels` support the wildcard characters `*` (matches
1164						// zero or many characters)
1165						// and `?` (matches one character).Wildcards allows writing label
1166						// selectors like
1167						// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
1168						// any key and value but
1169						// does not match an empty label set.
1170						"namespaceSelector"?: {
1171							// matchExpressions is a list of label selector requirements. The
1172							// requirements are ANDed.
1173							"matchExpressions"?: [...{
1174								// key is the label key that the selector applies to.
1175								"key"!: string
1176
1177								// operator represents a key's relationship to a set of values.
1178								// Valid operators are In, NotIn, Exists and DoesNotExist.
1179								"operator"!: string
1180
1181								// values is an array of string values. If the operator is In or
1182								// NotIn,
1183								// the values array must be non-empty. If the operator is Exists
1184								// or DoesNotExist,
1185								// the values array must be empty. This array is replaced during a
1186								// strategic
1187								// merge patch.
1188								"values"?: [...string]
1189							}]
1190
1191							// matchLabels is a map of {key,value} pairs. A single {key,value}
1192							// in the matchLabels
1193							// map is equivalent to an element of matchExpressions, whose key
1194							// field is "key", the
1195							// operator is "In", and the values array contains only "value".
1196							// The requirements are ANDed.
1197							"matchLabels"?: {
1198								[string]: string
1199							}
1200						}
1201
1202						// Namespaces is a list of namespaces names. Each name supports
1203						// wildcard characters
1204						// "*" (matches zero or many characters) and "?" (at least one
1205						// character).
1206						"namespaces"?: [...string]
1207
1208						// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
1209						// "DELETE"], which are used to match a specific action.
1210						"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
1211
1212						// Selector is a label selector. Label keys and values in
1213						// `matchLabels` support the wildcard
1214						// characters `*` (matches zero or many characters) and `?`
1215						// (matches one character).
1216						// Wildcards allows writing label selectors like
1217						// ["storage.k8s.io/*": "*"]. Note that
1218						// using ["*" : "*"] matches any key and value but does not match
1219						// an empty label set.
1220						"selector"?: {
1221							// matchExpressions is a list of label selector requirements. The
1222							// requirements are ANDed.
1223							"matchExpressions"?: [...{
1224								// key is the label key that the selector applies to.
1225								"key"!: string
1226
1227								// operator represents a key's relationship to a set of values.
1228								// Valid operators are In, NotIn, Exists and DoesNotExist.
1229								"operator"!: string
1230
1231								// values is an array of string values. If the operator is In or
1232								// NotIn,
1233								// the values array must be non-empty. If the operator is Exists
1234								// or DoesNotExist,
1235								// the values array must be empty. This array is replaced during a
1236								// strategic
1237								// merge patch.
1238								"values"?: [...string]
1239							}]
1240
1241							// matchLabels is a map of {key,value} pairs. A single {key,value}
1242							// in the matchLabels
1243							// map is equivalent to an element of matchExpressions, whose key
1244							// field is "key", the
1245							// operator is "In", and the values array contains only "value".
1246							// The requirements are ANDed.
1247							"matchLabels"?: {
1248								[string]: string
1249							}
1250						}
1251					}
1252
1253					// Roles is the list of namespaced role names for the user.
1254					"roles"?: [...string]
1255
1256					// Subjects is the list of subject names like users, user groups,
1257					// and service accounts.
1258					"subjects"?: [...{
1259						// APIGroup holds the API group of the referenced subject.
1260						// Defaults to "" for ServiceAccount subjects.
1261						// Defaults to "rbac.authorization.k8s.io" for User and Group
1262						// subjects.
1263						"apiGroup"?: string
1264
1265						// Kind of object being referenced. Values defined by this API
1266						// group are "User", "Group", and "ServiceAccount".
1267						// If the Authorizer does not recognized the kind value, the
1268						// Authorizer should report an error.
1269						"kind"!: string
1270
1271						// Name of the object being referenced.
1272						"name"!: string
1273
1274						// Namespace of the referenced object. If the object kind is
1275						// non-namespace, such as "User" or "Group", and this value is
1276						// not empty
1277						// the Authorizer should report an error.
1278						"namespace"?: string
1279					}]
1280				}]
1281
1282				// Any allows specifying resources which will be ORed
1283				"any"?: [...{
1284					// ClusterRoles is the list of cluster-wide role names for the
1285					// user.
1286					"clusterRoles"?: [...string]
1287
1288					// ResourceDescription contains information about the resource
1289					// being created or modified.
1290					"resources"?: matchN(0, [null | bool | number | string | [...] | {
1291						"name"!:  _
1292						"names"!: _
1293					}]) & {
1294						// Annotations is a map of annotations (key-value pairs of type
1295						// string). Annotation keys
1296						// and values support the wildcard characters "*" (matches zero or
1297						// many characters) and
1298						// "?" (matches at least one character).
1299						"annotations"?: [string]: string
1300
1301						// Kinds is a list of resource kinds.
1302						"kinds"?: [...string]
1303
1304						// Name is the name of the resource. The name supports wildcard
1305						// characters
1306						// "*" (matches zero or many characters) and "?" (at least one
1307						// character).
1308						// NOTE: "Name" is being deprecated in favor of "Names".
1309						"name"?: string
1310
1311						// Names are the names of the resources. Each name supports
1312						// wildcard characters
1313						// "*" (matches zero or many characters) and "?" (at least one
1314						// character).
1315						"names"?: [...string]
1316
1317						// NamespaceSelector is a label selector for the resource
1318						// namespace. Label keys and values
1319						// in `matchLabels` support the wildcard characters `*` (matches
1320						// zero or many characters)
1321						// and `?` (matches one character).Wildcards allows writing label
1322						// selectors like
1323						// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
1324						// any key and value but
1325						// does not match an empty label set.
1326						"namespaceSelector"?: {
1327							// matchExpressions is a list of label selector requirements. The
1328							// requirements are ANDed.
1329							"matchExpressions"?: [...{
1330								// key is the label key that the selector applies to.
1331								"key"!: string
1332
1333								// operator represents a key's relationship to a set of values.
1334								// Valid operators are In, NotIn, Exists and DoesNotExist.
1335								"operator"!: string
1336
1337								// values is an array of string values. If the operator is In or
1338								// NotIn,
1339								// the values array must be non-empty. If the operator is Exists
1340								// or DoesNotExist,
1341								// the values array must be empty. This array is replaced during a
1342								// strategic
1343								// merge patch.
1344								"values"?: [...string]
1345							}]
1346
1347							// matchLabels is a map of {key,value} pairs. A single {key,value}
1348							// in the matchLabels
1349							// map is equivalent to an element of matchExpressions, whose key
1350							// field is "key", the
1351							// operator is "In", and the values array contains only "value".
1352							// The requirements are ANDed.
1353							"matchLabels"?: {
1354								[string]: string
1355							}
1356						}
1357
1358						// Namespaces is a list of namespaces names. Each name supports
1359						// wildcard characters
1360						// "*" (matches zero or many characters) and "?" (at least one
1361						// character).
1362						"namespaces"?: [...string]
1363
1364						// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
1365						// "DELETE"], which are used to match a specific action.
1366						"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
1367
1368						// Selector is a label selector. Label keys and values in
1369						// `matchLabels` support the wildcard
1370						// characters `*` (matches zero or many characters) and `?`
1371						// (matches one character).
1372						// Wildcards allows writing label selectors like
1373						// ["storage.k8s.io/*": "*"]. Note that
1374						// using ["*" : "*"] matches any key and value but does not match
1375						// an empty label set.
1376						"selector"?: {
1377							// matchExpressions is a list of label selector requirements. The
1378							// requirements are ANDed.
1379							"matchExpressions"?: [...{
1380								// key is the label key that the selector applies to.
1381								"key"!: string
1382
1383								// operator represents a key's relationship to a set of values.
1384								// Valid operators are In, NotIn, Exists and DoesNotExist.
1385								"operator"!: string
1386
1387								// values is an array of string values. If the operator is In or
1388								// NotIn,
1389								// the values array must be non-empty. If the operator is Exists
1390								// or DoesNotExist,
1391								// the values array must be empty. This array is replaced during a
1392								// strategic
1393								// merge patch.
1394								"values"?: [...string]
1395							}]
1396
1397							// matchLabels is a map of {key,value} pairs. A single {key,value}
1398							// in the matchLabels
1399							// map is equivalent to an element of matchExpressions, whose key
1400							// field is "key", the
1401							// operator is "In", and the values array contains only "value".
1402							// The requirements are ANDed.
1403							"matchLabels"?: {
1404								[string]: string
1405							}
1406						}
1407					}
1408
1409					// Roles is the list of namespaced role names for the user.
1410					"roles"?: [...string]
1411
1412					// Subjects is the list of subject names like users, user groups,
1413					// and service accounts.
1414					"subjects"?: [...{
1415						// APIGroup holds the API group of the referenced subject.
1416						// Defaults to "" for ServiceAccount subjects.
1417						// Defaults to "rbac.authorization.k8s.io" for User and Group
1418						// subjects.
1419						"apiGroup"?: string
1420
1421						// Kind of object being referenced. Values defined by this API
1422						// group are "User", "Group", and "ServiceAccount".
1423						// If the Authorizer does not recognized the kind value, the
1424						// Authorizer should report an error.
1425						"kind"!: string
1426
1427						// Name of the object being referenced.
1428						"name"!: string
1429
1430						// Namespace of the referenced object. If the object kind is
1431						// non-namespace, such as "User" or "Group", and this value is
1432						// not empty
1433						// the Authorizer should report an error.
1434						"namespace"?: string
1435					}]
1436				}]
1437			}
1438
1439			// Mutation is used to modify matching resources.
1440			"mutate"?: {
1441				// ForEach applies mutation rules to a list of sub-elements by
1442				// creating a context for each entry in the list and looping over
1443				// it to apply the specified logic.
1444				"foreach"?: [...{
1445					// Context defines variables and data sources that can be used
1446					// during rule execution.
1447					"context"?: [...matchN(1, [{
1448						"configMap"!: _
1449					}, {
1450						"apiCall"!: _
1451					}, {
1452						"imageRegistry"!: _
1453					}, {
1454						"variable"!: _
1455					}, {
1456						"globalReference"!: _
1457					}]) & {
1458						// APICall is an HTTP request to the Kubernetes API server, or
1459						// other JSON web service.
1460						// The data returned is stored in the context with the name for
1461						// the context entry.
1462						"apiCall"?: {
1463							// The data object specifies the POST data sent to the server.
1464							// Only applicable when the method field is set to POST.
1465							"data"?: [...{
1466								// Key is a unique identifier for the data value
1467								"key"!: string
1468
1469								// Value is the data value
1470								"value"!: null | bool | number | string | [...] | {
1471									...
1472								}
1473							}]
1474
1475							// Default is an optional arbitrary JSON object that the context
1476							// value is set to, if the apiCall returns error.
1477							"default"?: null | bool | number | string | [...] | {
1478								...
1479							}
1480
1481							// JMESPath is an optional JSON Match Expression that can be used
1482							// to
1483							// transform the JSON response returned from the server. For
1484							// example
1485							// a JMESPath of "items | length(@)" applied to the API server
1486							// response
1487							// for the URLPath "/apis/apps/v1/deployments" will return the
1488							// total count
1489							// of deployments across all namespaces.
1490							"jmesPath"?: string
1491
1492							// Method is the HTTP request type (GET or POST). Defaults to GET.
1493							"method"?: "GET" | "POST"
1494
1495							// Service is an API call to a JSON web service.
1496							// This is used for non-Kubernetes API server calls.
1497							// It's mutually exclusive with the URLPath field.
1498							"service"?: {
1499								// CABundle is a PEM encoded CA bundle which will be used to
1500								// validate
1501								// the server certificate.
1502								"caBundle"?: string
1503
1504								// Headers is a list of optional HTTP headers to be included in
1505								// the request.
1506								"headers"?: [...{
1507									// Key is the header key
1508									"key"!: string
1509
1510									// Value is the header value
1511									"value"!: string
1512								}]
1513
1514								// URL is the JSON web service URL. A typical form is
1515								// `https://{service}.{namespace}:{port}/{path}`.
1516								"url"!: string
1517							}
1518
1519							// URLPath is the URL path to be used in the HTTP GET or POST
1520							// request to the
1521							// Kubernetes API server (e.g. "/api/v1/namespaces" or
1522							// "/apis/apps/v1/deployments").
1523							// The format required is the same format used by the `kubectl get
1524							// --raw` command.
1525							// See
1526							// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
1527							// for details.
1528							// It's mutually exclusive with the Service field.
1529							"urlPath"?: string
1530						}
1531
1532						// ConfigMap is the ConfigMap reference.
1533						"configMap"?: {
1534							// Name is the ConfigMap name.
1535							"name"!: string
1536
1537							// Namespace is the ConfigMap namespace.
1538							"namespace"?: string
1539						}
1540
1541						// GlobalContextEntryReference is a reference to a cached global
1542						// context entry.
1543						"globalReference"?: {
1544							// JMESPath is an optional JSON Match Expression that can be used
1545							// to
1546							// transform the JSON response returned from the server. For
1547							// example
1548							// a JMESPath of "items | length(@)" applied to the API server
1549							// response
1550							// for the URLPath "/apis/apps/v1/deployments" will return the
1551							// total count
1552							// of deployments across all namespaces.
1553							"jmesPath"?: string
1554
1555							// Name of the global context entry
1556							"name"!: string
1557						}
1558
1559						// ImageRegistry defines requests to an OCI/Docker V2 registry to
1560						// fetch image
1561						// details.
1562						"imageRegistry"?: {
1563							// ImageRegistryCredentials provides credentials that will be used
1564							// for authentication with registry
1565							"imageRegistryCredentials"?: {
1566								// AllowInsecureRegistry allows insecure access to a registry.
1567								"allowInsecureRegistry"?: bool
1568
1569								// Providers specifies a list of OCI Registry names, whose
1570								// authentication providers are provided.
1571								// It can be of one of these values:
1572								// default,google,azure,amazon,github.
1573								"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
1574
1575								// Secrets specifies a list of secrets that are provided for
1576								// credentials.
1577								// Secrets must live in the Kyverno namespace.
1578								"secrets"?: [...string]
1579							}
1580
1581							// JMESPath is an optional JSON Match Expression that can be used
1582							// to
1583							// transform the ImageData struct returned as a result of
1584							// processing
1585							// the image reference.
1586							"jmesPath"?: string
1587
1588							// Reference is image reference to a container image in the
1589							// registry.
1590							// Example: ghcr.io/kyverno/kyverno:latest
1591							"reference"!: string
1592						}
1593
1594						// Name is the variable name.
1595						"name"!: string
1596
1597						// Variable defines an arbitrary JMESPath context variable that
1598						// can be defined inline.
1599						"variable"?: {
1600							// Default is an optional arbitrary JSON object that the variable
1601							// may take if the JMESPath
1602							// expression evaluates to nil
1603							"default"?: null | bool | number | string | [...] | {
1604								...
1605							}
1606
1607							// JMESPath is an optional JMESPath Expression that can be used to
1608							// transform the variable.
1609							"jmesPath"?: string
1610
1611							// Value is any arbitrary JSON object representable in YAML or
1612							// JSON form.
1613							"value"?: null | bool | number | string | [...] | {
1614								...
1615							}
1616						}
1617					}]
1618
1619					// Foreach declares a nested foreach iterator
1620					"foreach"?: null | bool | number | string | [...] | {
1621						...
1622					}
1623
1624					// List specifies a JMESPath expression that results in one or
1625					// more elements
1626					// to which the validation logic is applied.
1627					"list"?: string
1628
1629					// Order defines the iteration order on the list.
1630					// Can be Ascending to iterate from first to last element or
1631					// Descending to iterate in from last to first element.
1632					"order"?: "Ascending" | "Descending"
1633
1634					// PatchStrategicMerge is a strategic merge patch used to modify
1635					// resources.
1636					// See
1637					// https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
1638					// and
1639					// https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
1640					"patchStrategicMerge"?: null | bool | number | string | [...] | {
1641						...
1642					}
1643
1644					// PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
1645					// used to modify resources.
1646					// See https://tools.ietf.org/html/rfc6902 and
1647					// https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
1648					"patchesJson6902"?: string
1649
1650					// AnyAllConditions are used to determine if a policy rule should
1651					// be applied by evaluating a
1652					// set of conditions. The declaration can contain nested `any` or
1653					// `all` statements.
1654					// See: https://kyverno.io/docs/writing-policies/preconditions/
1655					"preconditions"?: {
1656						// AllConditions enable variable-based conditional rule execution.
1657						// This is useful for
1658						// finer control of when an rule is applied. A condition can
1659						// reference object data
1660						// using JMESPath notation.
1661						// Here, all of the conditions need to pass
1662						"all"?: [...{
1663							// Key is the context entry (using JMESPath) for conditional rule
1664							// evaluation.
1665							"key"?: null | bool | number | string | [...] | {
1666								...
1667							}
1668
1669							// Message is an optional display message
1670							"message"?: string
1671
1672							// Operator is the conditional operation to perform. Valid
1673							// operators are:
1674							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
1675							// GreaterThanOrEquals,
1676							// GreaterThan, LessThanOrEquals, LessThan,
1677							// DurationGreaterThanOrEquals, DurationGreaterThan,
1678							// DurationLessThanOrEquals, DurationLessThan
1679							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
1680
1681							// Value is the conditional value, or set of values. The values
1682							// can be fixed set
1683							// or can be variables declared using JMESPath.
1684							"value"?: null | bool | number | string | [...] | {
1685								...
1686							}
1687						}]
1688
1689						// AnyConditions enable variable-based conditional rule execution.
1690						// This is useful for
1691						// finer control of when an rule is applied. A condition can
1692						// reference object data
1693						// using JMESPath notation.
1694						// Here, at least one of the conditions need to pass
1695						"any"?: [...{
1696							// Key is the context entry (using JMESPath) for conditional rule
1697							// evaluation.
1698							"key"?: null | bool | number | string | [...] | {
1699								...
1700							}
1701
1702							// Message is an optional display message
1703							"message"?: string
1704
1705							// Operator is the conditional operation to perform. Valid
1706							// operators are:
1707							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
1708							// GreaterThanOrEquals,
1709							// GreaterThan, LessThanOrEquals, LessThan,
1710							// DurationGreaterThanOrEquals, DurationGreaterThan,
1711							// DurationLessThanOrEquals, DurationLessThan
1712							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
1713
1714							// Value is the conditional value, or set of values. The values
1715							// can be fixed set
1716							// or can be variables declared using JMESPath.
1717							"value"?: null | bool | number | string | [...] | {
1718								...
1719							}
1720						}]
1721						...
1722					}
1723				}]
1724
1725				// MutateExistingOnPolicyUpdate controls if the mutateExisting
1726				// rule will be applied on policy events.
1727				"mutateExistingOnPolicyUpdate"?: bool
1728
1729				// PatchStrategicMerge is a strategic merge patch used to modify
1730				// resources.
1731				// See
1732				// https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
1733				// and
1734				// https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
1735				"patchStrategicMerge"?: null | bool | number | string | [...] | {
1736					...
1737				}
1738
1739				// PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
1740				// used to modify resources.
1741				// See https://tools.ietf.org/html/rfc6902 and
1742				// https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
1743				"patchesJson6902"?: string
1744
1745				// Targets defines the target resources to be mutated.
1746				"targets"?: [...{
1747					// APIVersion specifies resource apiVersion.
1748					"apiVersion"?: string
1749
1750					// Context defines variables and data sources that can be used
1751					// during rule execution.
1752					"context"?: [...matchN(1, [{
1753						"configMap"!: _
1754					}, {
1755						"apiCall"!: _
1756					}, {
1757						"imageRegistry"!: _
1758					}, {
1759						"variable"!: _
1760					}, {
1761						"globalReference"!: _
1762					}]) & {
1763						// APICall is an HTTP request to the Kubernetes API server, or
1764						// other JSON web service.
1765						// The data returned is stored in the context with the name for
1766						// the context entry.
1767						"apiCall"?: {
1768							// The data object specifies the POST data sent to the server.
1769							// Only applicable when the method field is set to POST.
1770							"data"?: [...{
1771								// Key is a unique identifier for the data value
1772								"key"!: string
1773
1774								// Value is the data value
1775								"value"!: null | bool | number | string | [...] | {
1776									...
1777								}
1778							}]
1779
1780							// Default is an optional arbitrary JSON object that the context
1781							// value is set to, if the apiCall returns error.
1782							"default"?: null | bool | number | string | [...] | {
1783								...
1784							}
1785
1786							// JMESPath is an optional JSON Match Expression that can be used
1787							// to
1788							// transform the JSON response returned from the server. For
1789							// example
1790							// a JMESPath of "items | length(@)" applied to the API server
1791							// response
1792							// for the URLPath "/apis/apps/v1/deployments" will return the
1793							// total count
1794							// of deployments across all namespaces.
1795							"jmesPath"?: string
1796
1797							// Method is the HTTP request type (GET or POST). Defaults to GET.
1798							"method"?: "GET" | "POST"
1799
1800							// Service is an API call to a JSON web service.
1801							// This is used for non-Kubernetes API server calls.
1802							// It's mutually exclusive with the URLPath field.
1803							"service"?: {
1804								// CABundle is a PEM encoded CA bundle which will be used to
1805								// validate
1806								// the server certificate.
1807								"caBundle"?: string
1808
1809								// Headers is a list of optional HTTP headers to be included in
1810								// the request.
1811								"headers"?: [...{
1812									// Key is the header key
1813									"key"!: string
1814
1815									// Value is the header value
1816									"value"!: string
1817								}]
1818
1819								// URL is the JSON web service URL. A typical form is
1820								// `https://{service}.{namespace}:{port}/{path}`.
1821								"url"!: string
1822							}
1823
1824							// URLPath is the URL path to be used in the HTTP GET or POST
1825							// request to the
1826							// Kubernetes API server (e.g. "/api/v1/namespaces" or
1827							// "/apis/apps/v1/deployments").
1828							// The format required is the same format used by the `kubectl get
1829							// --raw` command.
1830							// See
1831							// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
1832							// for details.
1833							// It's mutually exclusive with the Service field.
1834							"urlPath"?: string
1835						}
1836
1837						// ConfigMap is the ConfigMap reference.
1838						"configMap"?: {
1839							// Name is the ConfigMap name.
1840							"name"!: string
1841
1842							// Namespace is the ConfigMap namespace.
1843							"namespace"?: string
1844						}
1845
1846						// GlobalContextEntryReference is a reference to a cached global
1847						// context entry.
1848						"globalReference"?: {
1849							// JMESPath is an optional JSON Match Expression that can be used
1850							// to
1851							// transform the JSON response returned from the server. For
1852							// example
1853							// a JMESPath of "items | length(@)" applied to the API server
1854							// response
1855							// for the URLPath "/apis/apps/v1/deployments" will return the
1856							// total count
1857							// of deployments across all namespaces.
1858							"jmesPath"?: string
1859
1860							// Name of the global context entry
1861							"name"!: string
1862						}
1863
1864						// ImageRegistry defines requests to an OCI/Docker V2 registry to
1865						// fetch image
1866						// details.
1867						"imageRegistry"?: {
1868							// ImageRegistryCredentials provides credentials that will be used
1869							// for authentication with registry
1870							"imageRegistryCredentials"?: {
1871								// AllowInsecureRegistry allows insecure access to a registry.
1872								"allowInsecureRegistry"?: bool
1873
1874								// Providers specifies a list of OCI Registry names, whose
1875								// authentication providers are provided.
1876								// It can be of one of these values:
1877								// default,google,azure,amazon,github.
1878								"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
1879
1880								// Secrets specifies a list of secrets that are provided for
1881								// credentials.
1882								// Secrets must live in the Kyverno namespace.
1883								"secrets"?: [...string]
1884							}
1885
1886							// JMESPath is an optional JSON Match Expression that can be used
1887							// to
1888							// transform the ImageData struct returned as a result of
1889							// processing
1890							// the image reference.
1891							"jmesPath"?: string
1892
1893							// Reference is image reference to a container image in the
1894							// registry.
1895							// Example: ghcr.io/kyverno/kyverno:latest
1896							"reference"!: string
1897						}
1898
1899						// Name is the variable name.
1900						"name"!: string
1901
1902						// Variable defines an arbitrary JMESPath context variable that
1903						// can be defined inline.
1904						"variable"?: {
1905							// Default is an optional arbitrary JSON object that the variable
1906							// may take if the JMESPath
1907							// expression evaluates to nil
1908							"default"?: null | bool | number | string | [...] | {
1909								...
1910							}
1911
1912							// JMESPath is an optional JMESPath Expression that can be used to
1913							// transform the variable.
1914							"jmesPath"?: string
1915
1916							// Value is any arbitrary JSON object representable in YAML or
1917							// JSON form.
1918							"value"?: null | bool | number | string | [...] | {
1919								...
1920							}
1921						}
1922					}]
1923
1924					// Kind specifies resource kind.
1925					"kind"?: string
1926
1927					// Name specifies the resource name.
1928					"name"?: string
1929
1930					// Namespace specifies resource namespace.
1931					"namespace"?: string
1932
1933					// Preconditions are used to determine if a policy rule should be
1934					// applied by evaluating a
1935					// set of conditions. The declaration can contain nested `any` or
1936					// `all` statements. A direct list
1937					// of conditions (without `any` or `all` statements is supported
1938					// for backwards compatibility but
1939					// will be deprecated in the next major release.
1940					// See: https://kyverno.io/docs/writing-policies/preconditions/
1941					"preconditions"?: null | bool | number | string | [...] | {
1942						...
1943					}
1944
1945					// Selector allows you to select target resources with their
1946					// labels.
1947					"selector"?: {
1948						// matchExpressions is a list of label selector requirements. The
1949						// requirements are ANDed.
1950						"matchExpressions"?: [...{
1951							// key is the label key that the selector applies to.
1952							"key"!: string
1953
1954							// operator represents a key's relationship to a set of values.
1955							// Valid operators are In, NotIn, Exists and DoesNotExist.
1956							"operator"!: string
1957
1958							// values is an array of string values. If the operator is In or
1959							// NotIn,
1960							// the values array must be non-empty. If the operator is Exists
1961							// or DoesNotExist,
1962							// the values array must be empty. This array is replaced during a
1963							// strategic
1964							// merge patch.
1965							"values"?: [...string]
1966						}]
1967
1968						// matchLabels is a map of {key,value} pairs. A single {key,value}
1969						// in the matchLabels
1970						// map is equivalent to an element of matchExpressions, whose key
1971						// field is "key", the
1972						// operator is "In", and the values array contains only "value".
1973						// The requirements are ANDed.
1974						"matchLabels"?: {
1975							[string]: string
1976						}
1977					}
1978
1979					// UID specifies the resource uid.
1980					"uid"?: string
1981				}]
1982			}
1983
1984			// Name is a label to identify the rule, It must be unique within
1985			// the policy.
1986			"name"!: strings.MaxRunes(
1987					63)
1988
1989			// Preconditions are used to determine if a policy rule should be
1990			// applied by evaluating a
1991			// set of conditions. The declaration can contain nested `any` or
1992			// `all` statements.
1993			// See: https://kyverno.io/docs/writing-policies/preconditions/
1994			"preconditions"?: {
1995				// AllConditions enable variable-based conditional rule execution.
1996				// This is useful for
1997				// finer control of when an rule is applied. A condition can
1998				// reference object data
1999				// using JMESPath notation.
2000				// Here, all of the conditions need to pass.
2001				"all"?: [...{
2002					// Key is the context entry (using JMESPath) for conditional rule
2003					// evaluation.
2004					"key"?: null | bool | number | string | [...] | {
2005						...
2006					}
2007
2008					// Message is an optional display message
2009					"message"?: string
2010
2011					// Operator is the conditional operation to perform. Valid
2012					// operators are:
2013					// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2014					// GreaterThanOrEquals,
2015					// GreaterThan, LessThanOrEquals, LessThan,
2016					// DurationGreaterThanOrEquals, DurationGreaterThan,
2017					// DurationLessThanOrEquals, DurationLessThan
2018					"operator"?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2019
2020					// Value is the conditional value, or set of values. The values
2021					// can be fixed set
2022					// or can be variables declared using JMESPath.
2023					"value"?: null | bool | number | string | [...] | {
2024						...
2025					}
2026				}]
2027
2028				// AnyConditions enable variable-based conditional rule execution.
2029				// This is useful for
2030				// finer control of when an rule is applied. A condition can
2031				// reference object data
2032				// using JMESPath notation.
2033				// Here, at least one of the conditions need to pass.
2034				"any"?: [...{
2035					// Key is the context entry (using JMESPath) for conditional rule
2036					// evaluation.
2037					"key"?: null | bool | number | string | [...] | {
2038						...
2039					}
2040
2041					// Message is an optional display message
2042					"message"?: string
2043
2044					// Operator is the conditional operation to perform. Valid
2045					// operators are:
2046					// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2047					// GreaterThanOrEquals,
2048					// GreaterThan, LessThanOrEquals, LessThan,
2049					// DurationGreaterThanOrEquals, DurationGreaterThan,
2050					// DurationLessThanOrEquals, DurationLessThan
2051					"operator"?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2052
2053					// Value is the conditional value, or set of values. The values
2054					// can be fixed set
2055					// or can be variables declared using JMESPath.
2056					"value"?: null | bool | number | string | [...] | {
2057						...
2058					}
2059				}]
2060			}
2061
2062			// SkipBackgroundRequests bypasses admission requests that are
2063			// sent by the background controller.
2064			// The default value is set to "true", it must be set to "false"
2065			// to apply
2066			// generate and mutateExisting rules to those requests.
2067			"skipBackgroundRequests"?: bool
2068
2069			// Validation is used to validate matching resources.
2070			"validate"?: {
2071				// AnyPattern specifies list of validation patterns. At least one
2072				// of the patterns
2073				// must be satisfied for the validation rule to succeed.
2074				"anyPattern"?: null | bool | number | string | [...] | {
2075					...
2076				}
2077
2078				// Assert defines a kyverno-json assertion tree.
2079				"assert"?: {
2080					...
2081				}
2082
2083				// CEL allows validation checks using the Common Expression
2084				// Language
2085				// (https://kubernetes.io/docs/reference/using-api/cel/).
2086				"cel"?: {
2087					// AuditAnnotations contains CEL expressions which are used to
2088					// produce audit annotations for the audit event of the API
2089					// request.
2090					"auditAnnotations"?: [...{
2091						// key specifies the audit annotation key. The audit annotation
2092						// keys of
2093						// a ValidatingAdmissionPolicy must be unique. The key must be a
2094						// qualified
2095						// name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in
2096						// length.
2097						//
2098						// The key is combined with the resource name of the
2099						// ValidatingAdmissionPolicy to construct an audit annotation key:
2100						// "{ValidatingAdmissionPolicy name}/{key}".
2101						//
2102						// If an admission webhook uses the same resource name as this
2103						// ValidatingAdmissionPolicy
2104						// and the same audit annotation key, the annotation key will be
2105						// identical.
2106						// In this case, the first annotation written with the key will be
2107						// included
2108						// in the audit event and all subsequent annotations with the same
2109						// key
2110						// will be discarded.
2111						//
2112						// Required.
2113						"key"!: string
2114
2115						// valueExpression represents the expression which is evaluated by
2116						// CEL to
2117						// produce an audit annotation value. The expression must evaluate
2118						// to either
2119						// a string or null value. If the expression evaluates to a
2120						// string, the
2121						// audit annotation is included with the string value. If the
2122						// expression
2123						// evaluates to null or empty string the audit annotation will be
2124						// omitted.
2125						// The valueExpression may be no longer than 5kb in length.
2126						// If the result of the valueExpression is more than 10kb in
2127						// length, it
2128						// will be truncated to 10kb.
2129						//
2130						// If multiple ValidatingAdmissionPolicyBinding resources match an
2131						// API request, then the valueExpression will be evaluated for
2132						// each binding. All unique values produced by the
2133						// valueExpressions
2134						// will be joined together in a comma-separated list.
2135						//
2136						// Required.
2137						"valueExpression"!: string
2138					}]
2139
2140					// Expressions is a list of CELExpression types.
2141					"expressions"?: [...{
2142						// Expression represents the expression which will be evaluated by
2143						// CEL.
2144						// ref: https://github.com/google/cel-spec
2145						// CEL expressions have access to the contents of the API
2146						// request/response, organized into CEL variables as well as some
2147						// other useful variables:
2148						//
2149						// - 'object' - The object from the incoming request. The value is
2150						// null for DELETE requests.
2151						// - 'oldObject' - The existing object. The value is null for
2152						// CREATE requests.
2153						// - 'request' - Attributes of the API
2154						// request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
2155						// - 'params' - Parameter resource referred to by the policy
2156						// binding being evaluated. Only populated if the policy has a
2157						// ParamKind.
2158						// - 'namespaceObject' - The namespace object that the incoming
2159						// object belongs to. The value is null for cluster-scoped
2160						// resources.
2161						// - 'variables' - Map of composited variables, from its name to
2162						// its lazily evaluated value.
2163						// For example, a variable named 'foo' can be accessed as
2164						// 'variables.foo'.
2165						// - 'authorizer' - A CEL Authorizer. May be used to perform
2166						// authorization checks for the principal (user or service
2167						// account) of the request.
2168						// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
2169						// - 'authorizer.requestResource' - A CEL ResourceCheck
2170						// constructed from the 'authorizer' and configured with the
2171						// request resource.
2172						//
2173						// The `apiVersion`, `kind`, `metadata.name` and
2174						// `metadata.generateName` are always accessible from the root of
2175						// the
2176						// object. No other metadata properties are accessible.
2177						//
2178						// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
2179						// are accessible.
2180						// Accessible property names are escaped according to the
2181						// following rules when accessed in the expression:
2182						// - '__' escapes to '__underscores__'
2183						// - '.' escapes to '__dot__'
2184						// - '-' escapes to '__dash__'
2185						// - '/' escapes to '__slash__'
2186						// - Property names that exactly match a CEL RESERVED keyword
2187						// escape to '__{keyword}__'. The keywords are:
2188						// "true", "false", "null", "in", "as", "break", "const",
2189						// "continue", "else", "for", "function", "if",
2190						// "import", "let", "loop", "package", "namespace", "return".
2191						// Examples:
2192						// - Expression accessing a property named "namespace":
2193						// {"Expression": "object.__namespace__ > 0"}
2194						// - Expression accessing a property named "x-prop":
2195						// {"Expression": "object.x__dash__prop > 0"}
2196						// - Expression accessing a property named "redact__d":
2197						// {"Expression": "object.redact__underscores__d > 0"}
2198						//
2199						// Equality on arrays with list type of 'set' or 'map' ignores
2200						// element order, i.e. [1, 2] == [2, 1].
2201						// Concatenation on arrays with x-kubernetes-list-type use the
2202						// semantics of the list type:
2203						// - 'set': `X + Y` performs a union where the array positions of
2204						// all elements in `X` are preserved and
2205						// non-intersecting elements in `Y` are appended, retaining their
2206						// partial order.
2207						// - 'map': `X + Y` performs a merge where the array positions of
2208						// all keys in `X` are preserved but the values
2209						// are overwritten by values in `Y` when the key sets of `X` and
2210						// `Y` intersect. Elements in `Y` with
2211						// non-intersecting keys are appended, retaining their partial
2212						// order.
2213						// Required.
2214						"expression"!: string
2215
2216						// Message represents the message displayed when validation fails.
2217						// The message is required if the Expression contains
2218						// line breaks. The message must not contain line breaks.
2219						// If unset, the message is "failed rule: {Rule}".
2220						// e.g. "must be a URL with the host matching spec.host"
2221						// If the Expression contains line breaks. Message is required.
2222						// The message must not contain line breaks.
2223						// If unset, the message is "failed Expression: {Expression}".
2224						"message"?: string
2225
2226						// messageExpression declares a CEL expression that evaluates to
2227						// the validation failure message that is returned when this rule
2228						// fails.
2229						// Since messageExpression is used as a failure message, it must
2230						// evaluate to a string.
2231						// If both message and messageExpression are present on a
2232						// validation, then messageExpression will be used if validation
2233						// fails.
2234						// If messageExpression results in a runtime error, the runtime
2235						// error is logged, and the validation failure message is
2236						// produced
2237						// as if the messageExpression field were unset. If
2238						// messageExpression evaluates to an empty string, a string with
2239						// only spaces, or a string
2240						// that contains line breaks, then the validation failure message
2241						// will also be produced as if the messageExpression field were
2242						// unset, and
2243						// the fact that messageExpression produced an empty string/string
2244						// with only spaces/string with line breaks will be logged.
2245						// messageExpression has access to all the same variables as the
2246						// `expression` except for 'authorizer' and
2247						// 'authorizer.requestResource'.
2248						// Example:
2249						// "object.x must be less than max ("+string(params.max)+")"
2250						"messageExpression"?: string
2251
2252						// Reason represents a machine-readable description of why this
2253						// validation failed.
2254						// If this is the first validation in the list to fail, this
2255						// reason, as well as the
2256						// corresponding HTTP response code, are used in the
2257						// HTTP response to the client.
2258						// The currently supported reasons are: "Unauthorized",
2259						// "Forbidden", "Invalid", "RequestEntityTooLarge".
2260						// If not set, StatusReasonInvalid is used in the response to the
2261						// client.
2262						"reason"?: string
2263					}]
2264
2265					// ParamKind is a tuple of Group Kind and Version.
2266					"paramKind"?: {
2267						// APIVersion is the API group version the resources belong to.
2268						// In format of "group/version".
2269						// Required.
2270						"apiVersion"?: string
2271
2272						// Kind is the API kind the resources belong to.
2273						// Required.
2274						"kind"?: string
2275					}
2276
2277					// ParamRef references a parameter resource.
2278					"paramRef"?: {
2279						// name is the name of the resource being referenced.
2280						//
2281						// One of `name` or `selector` must be set, but `name` and
2282						// `selector` are
2283						// mutually exclusive properties. If one is set, the other must be
2284						// unset.
2285						//
2286						// A single parameter used for all admission requests can be
2287						// configured
2288						// by setting the `name` field, leaving `selector` blank, and
2289						// setting namespace
2290						// if `paramKind` is namespace-scoped.
2291						"name"?: string
2292
2293						// namespace is the namespace of the referenced resource. Allows
2294						// limiting
2295						// the search for params to a specific namespace. Applies to both
2296						// `name` and
2297						// `selector` fields.
2298						//
2299						// A per-namespace parameter may be used by specifying a
2300						// namespace-scoped
2301						// `paramKind` in the policy and leaving this field empty.
2302						//
2303						// - If `paramKind` is cluster-scoped, this field MUST be unset.
2304						// Setting this
2305						// field results in a configuration error.
2306						//
2307						// - If `paramKind` is namespace-scoped, the namespace of the
2308						// object being
2309						// evaluated for admission will be used when this field is left
2310						// unset. Take
2311						// care that if this is left empty the binding must not match any
2312						// cluster-scoped
2313						// resources, which will result in an error.
2314						"namespace"?: string
2315
2316						// `parameterNotFoundAction` controls the behavior of the binding
2317						// when the resource
2318						// exists, and name or selector is valid, but there are no
2319						// parameters
2320						// matched by the binding. If the value is set to `Allow`, then no
2321						// matched parameters will be treated as successful validation by
2322						// the binding.
2323						// If set to `Deny`, then no matched parameters will be subject to
2324						// the
2325						// `failurePolicy` of the policy.
2326						//
2327						// Allowed values are `Allow` or `Deny`
2328						//
2329						// Required
2330						"parameterNotFoundAction"?: string
2331
2332						// selector can be used to match multiple param objects based on
2333						// their labels.
2334						// Supply selector: {} to match all resources of the ParamKind.
2335						//
2336						// If multiple params are found, they are all evaluated with the
2337						// policy expressions
2338						// and the results are ANDed together.
2339						//
2340						// One of `name` or `selector` must be set, but `name` and
2341						// `selector` are
2342						// mutually exclusive properties. If one is set, the other must be
2343						// unset.
2344						"selector"?: {
2345							// matchExpressions is a list of label selector requirements. The
2346							// requirements are ANDed.
2347							"matchExpressions"?: [...{
2348								// key is the label key that the selector applies to.
2349								"key"!: string
2350
2351								// operator represents a key's relationship to a set of values.
2352								// Valid operators are In, NotIn, Exists and DoesNotExist.
2353								"operator"!: string
2354
2355								// values is an array of string values. If the operator is In or
2356								// NotIn,
2357								// the values array must be non-empty. If the operator is Exists
2358								// or DoesNotExist,
2359								// the values array must be empty. This array is replaced during a
2360								// strategic
2361								// merge patch.
2362								"values"?: [...string]
2363							}]
2364
2365							// matchLabels is a map of {key,value} pairs. A single {key,value}
2366							// in the matchLabels
2367							// map is equivalent to an element of matchExpressions, whose key
2368							// field is "key", the
2369							// operator is "In", and the values array contains only "value".
2370							// The requirements are ANDed.
2371							"matchLabels"?: {
2372								[string]: string
2373							}
2374						}
2375					}
2376
2377					// Variables contain definitions of variables that can be used in
2378					// composition of other expressions.
2379					// Each variable is defined as a named CEL expression.
2380					// The variables defined here will be available under `variables`
2381					// in other expressions of the policy.
2382					"variables"?: [...{
2383						// Expression is the expression that will be evaluated as the
2384						// value of the variable.
2385						// The CEL expression has access to the same identifiers as the
2386						// CEL expressions in Validation.
2387						"expression"!: string
2388
2389						// Name is the name of the variable. The name must be a valid CEL
2390						// identifier and unique among all variables.
2391						// The variable can be accessed in other expressions through
2392						// `variables`
2393						// For example, if name is "foo", the variable will be available
2394						// as `variables.foo`
2395						"name"!: string
2396					}]
2397				}
2398
2399				// Deny defines conditions used to pass or fail a validation rule.
2400				"deny"?: {
2401					// Multiple conditions can be declared under an `any` or `all`
2402					// statement.
2403					// See:
2404					// https://kyverno.io/docs/writing-policies/validate/#deny-rules
2405					"conditions"?: {
2406						// AllConditions enable variable-based conditional rule execution.
2407						// This is useful for
2408						// finer control of when an rule is applied. A condition can
2409						// reference object data
2410						// using JMESPath notation.
2411						// Here, all of the conditions need to pass.
2412						"all"?: [...{
2413							// Key is the context entry (using JMESPath) for conditional rule
2414							// evaluation.
2415							"key"?: null | bool | number | string | [...] | {
2416								...
2417							}
2418
2419							// Message is an optional display message
2420							"message"?: string
2421
2422							// Operator is the conditional operation to perform. Valid
2423							// operators are:
2424							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2425							// GreaterThanOrEquals,
2426							// GreaterThan, LessThanOrEquals, LessThan,
2427							// DurationGreaterThanOrEquals, DurationGreaterThan,
2428							// DurationLessThanOrEquals, DurationLessThan
2429							"operator"?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2430
2431							// Value is the conditional value, or set of values. The values
2432							// can be fixed set
2433							// or can be variables declared using JMESPath.
2434							"value"?: null | bool | number | string | [...] | {
2435								...
2436							}
2437						}]
2438
2439						// AnyConditions enable variable-based conditional rule execution.
2440						// This is useful for
2441						// finer control of when an rule is applied. A condition can
2442						// reference object data
2443						// using JMESPath notation.
2444						// Here, at least one of the conditions need to pass.
2445						"any"?: [...{
2446							// Key is the context entry (using JMESPath) for conditional rule
2447							// evaluation.
2448							"key"?: null | bool | number | string | [...] | {
2449								...
2450							}
2451
2452							// Message is an optional display message
2453							"message"?: string
2454
2455							// Operator is the conditional operation to perform. Valid
2456							// operators are:
2457							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2458							// GreaterThanOrEquals,
2459							// GreaterThan, LessThanOrEquals, LessThan,
2460							// DurationGreaterThanOrEquals, DurationGreaterThan,
2461							// DurationLessThanOrEquals, DurationLessThan
2462							"operator"?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2463
2464							// Value is the conditional value, or set of values. The values
2465							// can be fixed set
2466							// or can be variables declared using JMESPath.
2467							"value"?: null | bool | number | string | [...] | {
2468								...
2469							}
2470						}]
2471					}
2472				}
2473
2474				// FailureAction defines if a validation policy rule violation
2475				// should block
2476				// the admission review request (Enforce), or allow (Audit) the
2477				// admission review request
2478				// and report an error in a policy report. Optional.
2479				// Allowed values are Audit or Enforce.
2480				"failureAction"?: "Audit" | "Enforce"
2481
2482				// FailureActionOverrides is a Cluster Policy attribute that
2483				// specifies FailureAction
2484				// namespace-wise. It overrides FailureAction for the specified
2485				// namespaces.
2486				"failureActionOverrides"?: [...{
2487					// ValidationFailureAction defines the policy validation failure
2488					// action
2489					"action"?: "audit" | "enforce" | "Audit" | "Enforce"
2490
2491					// A label selector is a label query over a set of resources. The
2492					// result of matchLabels and
2493					// matchExpressions are ANDed. An empty label selector matches all
2494					// objects. A null
2495					// label selector matches no objects.
2496					"namespaceSelector"?: {
2497						// matchExpressions is a list of label selector requirements. The
2498						// requirements are ANDed.
2499						"matchExpressions"?: [...{
2500							// key is the label key that the selector applies to.
2501							"key"!: string
2502
2503							// operator represents a key's relationship to a set of values.
2504							// Valid operators are In, NotIn, Exists and DoesNotExist.
2505							"operator"!: string
2506
2507							// values is an array of string values. If the operator is In or
2508							// NotIn,
2509							// the values array must be non-empty. If the operator is Exists
2510							// or DoesNotExist,
2511							// the values array must be empty. This array is replaced during a
2512							// strategic
2513							// merge patch.
2514							"values"?: [...string]
2515						}]
2516
2517						// matchLabels is a map of {key,value} pairs. A single {key,value}
2518						// in the matchLabels
2519						// map is equivalent to an element of matchExpressions, whose key
2520						// field is "key", the
2521						// operator is "In", and the values array contains only "value".
2522						// The requirements are ANDed.
2523						"matchLabels"?: {
2524							[string]: string
2525						}
2526					}
2527					"namespaces"?: [...string]
2528				}]
2529
2530				// ForEach applies validate rules to a list of sub-elements by
2531				// creating a context for each entry in the list and looping over
2532				// it to apply the specified logic.
2533				"foreach"?: [...{
2534					// AnyPattern specifies list of validation patterns. At least one
2535					// of the patterns
2536					// must be satisfied for the validation rule to succeed.
2537					"anyPattern"?: null | bool | number | string | [...] | {
2538						...
2539					}
2540
2541					// Context defines variables and data sources that can be used
2542					// during rule execution.
2543					"context"?: [...matchN(1, [{
2544						"configMap"!: _
2545					}, {
2546						"apiCall"!: _
2547					}, {
2548						"imageRegistry"!: _
2549					}, {
2550						"variable"!: _
2551					}, {
2552						"globalReference"!: _
2553					}]) & {
2554						// APICall is an HTTP request to the Kubernetes API server, or
2555						// other JSON web service.
2556						// The data returned is stored in the context with the name for
2557						// the context entry.
2558						"apiCall"?: {
2559							// The data object specifies the POST data sent to the server.
2560							// Only applicable when the method field is set to POST.
2561							"data"?: [...{
2562								// Key is a unique identifier for the data value
2563								"key"!: string
2564
2565								// Value is the data value
2566								"value"!: null | bool | number | string | [...] | {
2567									...
2568								}
2569							}]
2570
2571							// Default is an optional arbitrary JSON object that the context
2572							// value is set to, if the apiCall returns error.
2573							"default"?: null | bool | number | string | [...] | {
2574								...
2575							}
2576
2577							// JMESPath is an optional JSON Match Expression that can be used
2578							// to
2579							// transform the JSON response returned from the server. For
2580							// example
2581							// a JMESPath of "items | length(@)" applied to the API server
2582							// response
2583							// for the URLPath "/apis/apps/v1/deployments" will return the
2584							// total count
2585							// of deployments across all namespaces.
2586							"jmesPath"?: string
2587
2588							// Method is the HTTP request type (GET or POST). Defaults to GET.
2589							"method"?: "GET" | "POST"
2590
2591							// Service is an API call to a JSON web service.
2592							// This is used for non-Kubernetes API server calls.
2593							// It's mutually exclusive with the URLPath field.
2594							"service"?: {
2595								// CABundle is a PEM encoded CA bundle which will be used to
2596								// validate
2597								// the server certificate.
2598								"caBundle"?: string
2599
2600								// Headers is a list of optional HTTP headers to be included in
2601								// the request.
2602								"headers"?: [...{
2603									// Key is the header key
2604									"key"!: string
2605
2606									// Value is the header value
2607									"value"!: string
2608								}]
2609
2610								// URL is the JSON web service URL. A typical form is
2611								// `https://{service}.{namespace}:{port}/{path}`.
2612								"url"!: string
2613							}
2614
2615							// URLPath is the URL path to be used in the HTTP GET or POST
2616							// request to the
2617							// Kubernetes API server (e.g. "/api/v1/namespaces" or
2618							// "/apis/apps/v1/deployments").
2619							// The format required is the same format used by the `kubectl get
2620							// --raw` command.
2621							// See
2622							// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
2623							// for details.
2624							// It's mutually exclusive with the Service field.
2625							"urlPath"?: string
2626						}
2627
2628						// ConfigMap is the ConfigMap reference.
2629						"configMap"?: {
2630							// Name is the ConfigMap name.
2631							"name"!: string
2632
2633							// Namespace is the ConfigMap namespace.
2634							"namespace"?: string
2635						}
2636
2637						// GlobalContextEntryReference is a reference to a cached global
2638						// context entry.
2639						"globalReference"?: {
2640							// JMESPath is an optional JSON Match Expression that can be used
2641							// to
2642							// transform the JSON response returned from the server. For
2643							// example
2644							// a JMESPath of "items | length(@)" applied to the API server
2645							// response
2646							// for the URLPath "/apis/apps/v1/deployments" will return the
2647							// total count
2648							// of deployments across all namespaces.
2649							"jmesPath"?: string
2650
2651							// Name of the global context entry
2652							"name"!: string
2653						}
2654
2655						// ImageRegistry defines requests to an OCI/Docker V2 registry to
2656						// fetch image
2657						// details.
2658						"imageRegistry"?: {
2659							// ImageRegistryCredentials provides credentials that will be used
2660							// for authentication with registry
2661							"imageRegistryCredentials"?: {
2662								// AllowInsecureRegistry allows insecure access to a registry.
2663								"allowInsecureRegistry"?: bool
2664
2665								// Providers specifies a list of OCI Registry names, whose
2666								// authentication providers are provided.
2667								// It can be of one of these values:
2668								// default,google,azure,amazon,github.
2669								"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
2670
2671								// Secrets specifies a list of secrets that are provided for
2672								// credentials.
2673								// Secrets must live in the Kyverno namespace.
2674								"secrets"?: [...string]
2675							}
2676
2677							// JMESPath is an optional JSON Match Expression that can be used
2678							// to
2679							// transform the ImageData struct returned as a result of
2680							// processing
2681							// the image reference.
2682							"jmesPath"?: string
2683
2684							// Reference is image reference to a container image in the
2685							// registry.
2686							// Example: ghcr.io/kyverno/kyverno:latest
2687							"reference"!: string
2688						}
2689
2690						// Name is the variable name.
2691						"name"!: string
2692
2693						// Variable defines an arbitrary JMESPath context variable that
2694						// can be defined inline.
2695						"variable"?: {
2696							// Default is an optional arbitrary JSON object that the variable
2697							// may take if the JMESPath
2698							// expression evaluates to nil
2699							"default"?: null | bool | number | string | [...] | {
2700								...
2701							}
2702
2703							// JMESPath is an optional JMESPath Expression that can be used to
2704							// transform the variable.
2705							"jmesPath"?: string
2706
2707							// Value is any arbitrary JSON object representable in YAML or
2708							// JSON form.
2709							"value"?: null | bool | number | string | [...] | {
2710								...
2711							}
2712						}
2713					}]
2714
2715					// Deny defines conditions used to pass or fail a validation rule.
2716					"deny"?: {
2717						// Multiple conditions can be declared under an `any` or `all`
2718						// statement. A direct list
2719						// of conditions (without `any` or `all` statements) is also
2720						// supported for backwards compatibility
2721						// but will be deprecated in the next major release.
2722						// See:
2723						// https://kyverno.io/docs/writing-policies/validate/#deny-rules
2724						"conditions"?: null | bool | number | string | [...] | {
2725							...
2726						}
2727					}
2728
2729					// ElementScope specifies whether to use the current list element
2730					// as the scope for validation. Defaults to "true" if not
2731					// specified.
2732					// When set to "false", "request.object" is used as the validation
2733					// scope within the foreach
2734					// block to allow referencing other elements in the subtree.
2735					"elementScope"?: bool
2736
2737					// Foreach declares a nested foreach iterator
2738					"foreach"?: null | bool | number | string | [...] | {
2739						...
2740					}
2741
2742					// List specifies a JMESPath expression that results in one or
2743					// more elements
2744					// to which the validation logic is applied.
2745					"list"?: string
2746
2747					// Pattern specifies an overlay-style pattern used to check
2748					// resources.
2749					"pattern"?: null | bool | number | string | [...] | {
2750						...
2751					}
2752
2753					// AnyAllConditions are used to determine if a policy rule should
2754					// be applied by evaluating a
2755					// set of conditions. The declaration can contain nested `any` or
2756					// `all` statements.
2757					// See: https://kyverno.io/docs/writing-policies/preconditions/
2758					"preconditions"?: {
2759						// AllConditions enable variable-based conditional rule execution.
2760						// This is useful for
2761						// finer control of when an rule is applied. A condition can
2762						// reference object data
2763						// using JMESPath notation.
2764						// Here, all of the conditions need to pass
2765						"all"?: [...{
2766							// Key is the context entry (using JMESPath) for conditional rule
2767							// evaluation.
2768							"key"?: null | bool | number | string | [...] | {
2769								...
2770							}
2771
2772							// Message is an optional display message
2773							"message"?: string
2774
2775							// Operator is the conditional operation to perform. Valid
2776							// operators are:
2777							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2778							// GreaterThanOrEquals,
2779							// GreaterThan, LessThanOrEquals, LessThan,
2780							// DurationGreaterThanOrEquals, DurationGreaterThan,
2781							// DurationLessThanOrEquals, DurationLessThan
2782							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2783
2784							// Value is the conditional value, or set of values. The values
2785							// can be fixed set
2786							// or can be variables declared using JMESPath.
2787							"value"?: null | bool | number | string | [...] | {
2788								...
2789							}
2790						}]
2791
2792						// AnyConditions enable variable-based conditional rule execution.
2793						// This is useful for
2794						// finer control of when an rule is applied. A condition can
2795						// reference object data
2796						// using JMESPath notation.
2797						// Here, at least one of the conditions need to pass
2798						"any"?: [...{
2799							// Key is the context entry (using JMESPath) for conditional rule
2800							// evaluation.
2801							"key"?: null | bool | number | string | [...] | {
2802								...
2803							}
2804
2805							// Message is an optional display message
2806							"message"?: string
2807
2808							// Operator is the conditional operation to perform. Valid
2809							// operators are:
2810							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2811							// GreaterThanOrEquals,
2812							// GreaterThan, LessThanOrEquals, LessThan,
2813							// DurationGreaterThanOrEquals, DurationGreaterThan,
2814							// DurationLessThanOrEquals, DurationLessThan
2815							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2816
2817							// Value is the conditional value, or set of values. The values
2818							// can be fixed set
2819							// or can be variables declared using JMESPath.
2820							"value"?: null | bool | number | string | [...] | {
2821								...
2822							}
2823						}]
2824						...
2825					}
2826				}]
2827
2828				// Manifest specifies conditions for manifest verification
2829				"manifests"?: {
2830					// AnnotationDomain is custom domain of annotation for message and
2831					// signature. Default is "cosign.sigstore.dev".
2832					"annotationDomain"?: string
2833
2834					// Attestors specified the required attestors (i.e. authorities)
2835					"attestors"?: [...{
2836						// Count specifies the required number of entries that must match.
2837						// If the count is null, all entries must match
2838						// (a logical AND). If the count is 1, at least one entry must
2839						// match (a logical OR). If the count contains a
2840						// value N, then N must be less than or equal to the size of
2841						// entries, and at least N entries must match.
2842						"count"?: int & >=1
2843
2844						// Entries contains the available attestors. An attestor can be a
2845						// static key,
2846						// attributes for keyless verification, or a nested attestor
2847						// declaration.
2848						"entries"?: [...{
2849							// Annotations are used for image verification.
2850							// Every specified key-value pair must exist and match in the
2851							// verified payload.
2852							// The payload may contain other key-value pairs.
2853							"annotations"?: [string]: string
2854
2855							// Attestor is a nested set of Attestor used to specify a more
2856							// complex set of match authorities.
2857							"attestor"?: null | bool | number | string | [...] | {
2858								...
2859							}
2860
2861							// Certificates specifies one or more certificates.
2862							"certificates"?: {
2863								// Cert is an optional PEM-encoded public certificate.
2864								"cert"?: string
2865
2866								// CertChain is an optional PEM encoded set of certificates used
2867								// to verify.
2868								"certChain"?: string
2869
2870								// CTLog (certificate timestamp log) provides a configuration for
2871								// validation of Signed Certificate
2872								// Timestamps (SCTs). If the value is unset, the default behavior
2873								// by Cosign is used.
2874								"ctlog"?: {
2875									// IgnoreSCT defines whether to use the Signed Certificate
2876									// Timestamp (SCT) log to check for a certificate
2877									// timestamp. Default is false. Set to true if this was opted out
2878									// during signing.
2879									"ignoreSCT"?: bool
2880
2881									// PubKey, if set, is used to validate SCTs against a custom
2882									// source.
2883									"pubkey"?: string
2884
2885									// TSACertChain, if set, is the PEM-encoded certificate chain file
2886									// for the RFC3161 timestamp authority. Must
2887									// contain the root CA certificate. Optionally may contain
2888									// intermediate CA certificates, and
2889									// may contain the leaf TSA certificate if not present in the
2890									// timestamurce.
2891									"tsaCertChain"?: string
2892								}
2893
2894								// Rekor provides configuration for the Rekor transparency log
2895								// service. If an empty object
2896								// is provided the public instance of Rekor
2897								// (https://rekor.sigstore.dev) is used.
2898								"rekor"?: {
2899									// IgnoreTlog skips transparency log verification.
2900									"ignoreTlog"?: bool
2901
2902									// RekorPubKey is an optional PEM-encoded public key to use for a
2903									// custom Rekor.
2904									// If set, this will be used to validate transparency log
2905									// signatures from a custom Rekor.
2906									"pubkey"?: string
2907
2908									// URL is the address of the transparency log. Defaults to the
2909									// public Rekor log instance https://rekor.sigstore.dev.
2910									"url"?: string
2911								}
2912							}
2913
2914							// Keyless is a set of attribute used to verify a Sigstore keyless
2915							// attestor.
2916							// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
2917							"keyless"?: {
2918								// AdditionalExtensions are certificate-extensions used for
2919								// keyless signing.
2920								"additionalExtensions"?: [string]: string
2921
2922								// CTLog (certificate timestamp log) provides a configuration for
2923								// validation of Signed Certificate
2924								// Timestamps (SCTs). If the value is unset, the default behavior
2925								// by Cosign is used.
2926								"ctlog"?: {
2927									// IgnoreSCT defines whether to use the Signed Certificate
2928									// Timestamp (SCT) log to check for a certificate
2929									// timestamp. Default is false. Set to true if this was opted out
2930									// during signing.
2931									"ignoreSCT"?: bool
2932
2933									// PubKey, if set, is used to validate SCTs against a custom
2934									// source.
2935									"pubkey"?: string
2936
2937									// TSACertChain, if set, is the PEM-encoded certificate chain file
2938									// for the RFC3161 timestamp authority. Must
2939									// contain the root CA certificate. Optionally may contain
2940									// intermediate CA certificates, and
2941									// may contain the leaf TSA certificate if not present in the
2942									// timestamurce.
2943									"tsaCertChain"?: string
2944								}
2945
2946								// Issuer is the certificate issuer used for keyless signing.
2947								"issuer"?: string
2948
2949								// IssuerRegExp is the regular expression to match certificate
2950								// issuer used for keyless signing.
2951								"issuerRegExp"?: string
2952
2953								// Rekor provides configuration for the Rekor transparency log
2954								// service. If an empty object
2955								// is provided the public instance of Rekor
2956								// (https://rekor.sigstore.dev) is used.
2957								"rekor"?: {
2958									// IgnoreTlog skips transparency log verification.
2959									"ignoreTlog"?: bool
2960
2961									// RekorPubKey is an optional PEM-encoded public key to use for a
2962									// custom Rekor.
2963									// If set, this will be used to validate transparency log
2964									// signatures from a custom Rekor.
2965									"pubkey"?: string
2966
2967									// URL is the address of the transparency log. Defaults to the
2968									// public Rekor log instance https://rekor.sigstore.dev.
2969									"url"?: string
2970								}
2971
2972								// Roots is an optional set of PEM encoded trusted root
2973								// certificates.
2974								// If not provided, the system roots are used.
2975								"roots"?: string
2976
2977								// Subject is the verified identity used for keyless signing, for
2978								// example the email address.
2979								"subject"?: string
2980
2981								// SubjectRegExp is the regular expression to match identity used
2982								// for keyless signing, for example the email address.
2983								"subjectRegExp"?: string
2984							}
2985
2986							// Keys specifies one or more public keys.
2987							"keys"?: {
2988								// CTLog (certificate timestamp log) provides a configuration for
2989								// validation of Signed Certificate
2990								// Timestamps (SCTs). If the value is unset, the default behavior
2991								// by Cosign is used.
2992								"ctlog"?: {
2993									// IgnoreSCT defines whether to use the Signed Certificate
2994									// Timestamp (SCT) log to check for a certificate
2995									// timestamp. Default is false. Set to true if this was opted out
2996									// during signing.
2997									"ignoreSCT"?: bool
2998
2999									// PubKey, if set, is used to validate SCTs against a custom
3000									// source.
3001									"pubkey"?: string
3002
3003									// TSACertChain, if set, is the PEM-encoded certificate chain file
3004									// for the RFC3161 timestamp authority. Must
3005									// contain the root CA certificate. Optionally may contain
3006									// intermediate CA certificates, and
3007									// may contain the leaf TSA certificate if not present in the
3008									// timestamurce.
3009									"tsaCertChain"?: string
3010								}
3011
3012								// KMS provides the URI to the public key stored in a Key
3013								// Management System. See:
3014								// https://github.com/sigstore/cosign/blob/main/KMS.md
3015								"kms"?: string
3016
3017								// Keys is a set of X.509 public keys used to verify image
3018								// signatures. The keys can be directly
3019								// specified or can be a variable reference to a key specified in
3020								// a ConfigMap (see
3021								// https://kyverno.io/docs/writing-policies/variables/), or
3022								// reference a standard Kubernetes Secret
3023								// elsewhere in the cluster by specifying it in the format
3024								// "k8s://<namespace>/<secret_name>".
3025								// The named Secret must specify a key `cosign.pub` containing the
3026								// public key used for
3027								// verification, (see
3028								// https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
3029								// When multiple keys are specified each key is processed as a
3030								// separate staticKey entry
3031								// (.attestors[*].entries.keys) within the set of attestors and
3032								// the count is applied across the keys.
3033								"publicKeys"?: string
3034
3035								// Rekor provides configuration for the Rekor transparency log
3036								// service. If an empty object
3037								// is provided the public instance of Rekor
3038								// (https://rekor.sigstore.dev) is used.
3039								"rekor"?: {
3040									// IgnoreTlog skips transparency log verification.
3041									"ignoreTlog"?: bool
3042
3043									// RekorPubKey is an optional PEM-encoded public key to use for a
3044									// custom Rekor.
3045									// If set, this will be used to validate transparency log
3046									// signatures from a custom Rekor.
3047									"pubkey"?: string
3048
3049									// URL is the address of the transparency log. Defaults to the
3050									// public Rekor log instance https://rekor.sigstore.dev.
3051									"url"?: string
3052								}
3053
3054								// Reference to a Secret resource that contains a public key
3055								"secret"?: {
3056									// Name of the secret. The provided secret must contain a key
3057									// named cosign.pub.
3058									"name"!: string
3059
3060									// Namespace name where the Secret exists.
3061									"namespace"!: string
3062								}
3063
3064								// Deprecated. Use attestor.signatureAlgorithm instead.
3065								"signatureAlgorithm"?: string
3066							}
3067
3068							// Repository is an optional alternate OCI repository to use for
3069							// signatures and attestations that match this rule.
3070							// If specified Repository will override other OCI image
3071							// repository locations for this Attestor.
3072							"repository"?: string
3073
3074							// Specify signature algorithm for public keys. Supported values
3075							// are sha224, sha256, sha384 and sha512.
3076							"signatureAlgorithm"?: string
3077						}]
3078					}]
3079
3080					// DryRun configuration
3081					"dryRun"?: {
3082						"enable"?:    bool
3083						"namespace"?: string
3084					}
3085
3086					// Fields which will be ignored while comparing manifests.
3087					"ignoreFields"?: [...{
3088						"fields"?: [...string]
3089						"objects"?: [...{
3090							"group"?:     string
3091							"kind"?:      string
3092							"name"?:      string
3093							"namespace"?: string
3094							"version"?:   string
3095						}]
3096					}]
3097
3098					// Repository is an optional alternate OCI repository to use for
3099					// resource bundle reference.
3100					// The repository can be overridden per Attestor or Attestation.
3101					"repository"?: string
3102				}
3103
3104				// Message specifies a custom message to be displayed on failure.
3105				"message"?: string
3106
3107				// Pattern specifies an overlay-style pattern used to check
3108				// resources.
3109				"pattern"?: null | bool | number | string | [...] | {
3110					...
3111				}
3112
3113				// PodSecurity applies exemptions for Kubernetes Pod Security
3114				// admission
3115				// by specifying exclusions for Pod Security Standards controls.
3116				"podSecurity"?: {
3117					// Exclude specifies the Pod Security Standard controls to be
3118					// excluded.
3119					"exclude"?: [...{
3120						// ControlName specifies the name of the Pod Security Standard
3121						// control.
3122						// See:
3123						// https://kubernetes.io/docs/concepts/security/pod-security-standards/
3124						"controlName"!: "HostProcess" | "Host Namespaces" | "Privileged Containers" | "Capabilities" | "HostPath Volumes" | "Host Ports" | "AppArmor" | "SELinux" | "/proc Mount Type" | "Seccomp" | "Sysctls" | "Volume Types" | "Privilege Escalation" | "Running as Non-root" | "Running as Non-root user"
3125
3126						// Images selects matching containers and applies the container
3127						// level PSS.
3128						// Each image is the image name consisting of the registry
3129						// address, repository, image, and tag.
3130						// Empty list matches no containers, PSS checks are applied at the
3131						// pod level only.
3132						// Wildcards ('*' and '?') are allowed. See:
3133						// https://kubernetes.io/docs/concepts/containers/images.
3134						"images"?: [...string]
3135
3136						// RestrictedField selects the field for the given Pod Security
3137						// Standard control.
3138						// When not set, all restricted fields for the control are
3139						// selected.
3140						"restrictedField"?: string
3141
3142						// Values defines the allowed values that can be excluded.
3143						"values"?: [...string]
3144					}]
3145
3146					// Level defines the Pod Security Standard level to be applied to
3147					// workloads.
3148					// Allowed values are privileged, baseline, and restricted.
3149					"level"?: "privileged" | "baseline" | "restricted"
3150
3151					// Version defines the Pod Security Standard versions that
3152					// Kubernetes supports.
3153					// Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
3154					// v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
3155					"version"?: "v1.19" | "v1.20" | "v1.21" | "v1.22" | "v1.23" | "v1.24" | "v1.25" | "v1.26" | "v1.27" | "v1.28" | "v1.29" | "latest"
3156				}
3157			}
3158
3159			// VerifyImages is used to verify image signatures and mutate them
3160			// to add a digest
3161			"verifyImages"?: [...{
3162				// Attestations are optional checks for signed in-toto Statements
3163				// used to verify the image.
3164				// See https://github.com/in-toto/attestation. Kyverno fetches
3165				// signed attestations from the
3166				// OCI registry and decodes them into a list of Statement
3167				// declarations.
3168				"attestations"?: [...{
3169					// Attestors specify the required attestors (i.e. authorities).
3170					"attestors"?: [...{
3171						// Count specifies the required number of entries that must match.
3172						// If the count is null, all entries must match
3173						// (a logical AND). If the count is 1, at least one entry must
3174						// match (a logical OR). If the count contains a
3175						// value N, then N must be less than or equal to the size of
3176						// entries, and at least N entries must match.
3177						"count"?: int & >=1
3178
3179						// Entries contains the available attestors. An attestor can be a
3180						// static key,
3181						// attributes for keyless verification, or a nested attestor
3182						// declaration.
3183						"entries"?: [...{
3184							// Annotations are used for image verification.
3185							// Every specified key-value pair must exist and match in the
3186							// verified payload.
3187							// The payload may contain other key-value pairs.
3188							"annotations"?: [string]: string
3189
3190							// Attestor is a nested set of Attestor used to specify a more
3191							// complex set of match authorities.
3192							"attestor"?: null | bool | number | string | [...] | {
3193								...
3194							}
3195
3196							// Certificates specifies one or more certificates.
3197							"certificates"?: {
3198								// Cert is an optional PEM-encoded public certificate.
3199								"cert"?: string
3200
3201								// CertChain is an optional PEM encoded set of certificates used
3202								// to verify.
3203								"certChain"?: string
3204
3205								// CTLog (certificate timestamp log) provides a configuration for
3206								// validation of Signed Certificate
3207								// Timestamps (SCTs). If the value is unset, the default behavior
3208								// by Cosign is used.
3209								"ctlog"?: {
3210									// IgnoreSCT defines whether to use the Signed Certificate
3211									// Timestamp (SCT) log to check for a certificate
3212									// timestamp. Default is false. Set to true if this was opted out
3213									// during signing.
3214									"ignoreSCT"?: bool
3215
3216									// PubKey, if set, is used to validate SCTs against a custom
3217									// source.
3218									"pubkey"?: string
3219
3220									// TSACertChain, if set, is the PEM-encoded certificate chain file
3221									// for the RFC3161 timestamp authority. Must
3222									// contain the root CA certificate. Optionally may contain
3223									// intermediate CA certificates, and
3224									// may contain the leaf TSA certificate if not present in the
3225									// timestamurce.
3226									"tsaCertChain"?: string
3227								}
3228
3229								// Rekor provides configuration for the Rekor transparency log
3230								// service. If an empty object
3231								// is provided the public instance of Rekor
3232								// (https://rekor.sigstore.dev) is used.
3233								"rekor"?: {
3234									// IgnoreTlog skips transparency log verification.
3235									"ignoreTlog"?: bool
3236
3237									// RekorPubKey is an optional PEM-encoded public key to use for a
3238									// custom Rekor.
3239									// If set, this will be used to validate transparency log
3240									// signatures from a custom Rekor.
3241									"pubkey"?: string
3242
3243									// URL is the address of the transparency log. Defaults to the
3244									// public Rekor log instance https://rekor.sigstore.dev.
3245									"url"?: string
3246								}
3247							}
3248
3249							// Keyless is a set of attribute used to verify a Sigstore keyless
3250							// attestor.
3251							// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
3252							"keyless"?: {
3253								// AdditionalExtensions are certificate-extensions used for
3254								// keyless signing.
3255								"additionalExtensions"?: [string]: string
3256
3257								// CTLog (certificate timestamp log) provides a configuration for
3258								// validation of Signed Certificate
3259								// Timestamps (SCTs). If the value is unset, the default behavior
3260								// by Cosign is used.
3261								"ctlog"?: {
3262									// IgnoreSCT defines whether to use the Signed Certificate
3263									// Timestamp (SCT) log to check for a certificate
3264									// timestamp. Default is false. Set to true if this was opted out
3265									// during signing.
3266									"ignoreSCT"?: bool
3267
3268									// PubKey, if set, is used to validate SCTs against a custom
3269									// source.
3270									"pubkey"?: string
3271
3272									// TSACertChain, if set, is the PEM-encoded certificate chain file
3273									// for the RFC3161 timestamp authority. Must
3274									// contain the root CA certificate. Optionally may contain
3275									// intermediate CA certificates, and
3276									// may contain the leaf TSA certificate if not present in the
3277									// timestamurce.
3278									"tsaCertChain"?: string
3279								}
3280
3281								// Issuer is the certificate issuer used for keyless signing.
3282								"issuer"?: string
3283
3284								// IssuerRegExp is the regular expression to match certificate
3285								// issuer used for keyless signing.
3286								"issuerRegExp"?: string
3287
3288								// Rekor provides configuration for the Rekor transparency log
3289								// service. If an empty object
3290								// is provided the public instance of Rekor
3291								// (https://rekor.sigstore.dev) is used.
3292								"rekor"?: {
3293									// IgnoreTlog skips transparency log verification.
3294									"ignoreTlog"?: bool
3295
3296									// RekorPubKey is an optional PEM-encoded public key to use for a
3297									// custom Rekor.
3298									// If set, this will be used to validate transparency log
3299									// signatures from a custom Rekor.
3300									"pubkey"?: string
3301
3302									// URL is the address of the transparency log. Defaults to the
3303									// public Rekor log instance https://rekor.sigstore.dev.
3304									"url"?: string
3305								}
3306
3307								// Roots is an optional set of PEM encoded trusted root
3308								// certificates.
3309								// If not provided, the system roots are used.
3310								"roots"?: string
3311
3312								// Subject is the verified identity used for keyless signing, for
3313								// example the email address.
3314								"subject"?: string
3315
3316								// SubjectRegExp is the regular expression to match identity used
3317								// for keyless signing, for example the email address.
3318								"subjectRegExp"?: string
3319							}
3320
3321							// Keys specifies one or more public keys.
3322							"keys"?: {
3323								// CTLog (certificate timestamp log) provides a configuration for
3324								// validation of Signed Certificate
3325								// Timestamps (SCTs). If the value is unset, the default behavior
3326								// by Cosign is used.
3327								"ctlog"?: {
3328									// IgnoreSCT defines whether to use the Signed Certificate
3329									// Timestamp (SCT) log to check for a certificate
3330									// timestamp. Default is false. Set to true if this was opted out
3331									// during signing.
3332									"ignoreSCT"?: bool
3333
3334									// PubKey, if set, is used to validate SCTs against a custom
3335									// source.
3336									"pubkey"?: string
3337
3338									// TSACertChain, if set, is the PEM-encoded certificate chain file
3339									// for the RFC3161 timestamp authority. Must
3340									// contain the root CA certificate. Optionally may contain
3341									// intermediate CA certificates, and
3342									// may contain the leaf TSA certificate if not present in the
3343									// timestamurce.
3344									"tsaCertChain"?: string
3345								}
3346
3347								// KMS provides the URI to the public key stored in a Key
3348								// Management System. See:
3349								// https://github.com/sigstore/cosign/blob/main/KMS.md
3350								"kms"?: string
3351
3352								// Keys is a set of X.509 public keys used to verify image
3353								// signatures. The keys can be directly
3354								// specified or can be a variable reference to a key specified in
3355								// a ConfigMap (see
3356								// https://kyverno.io/docs/writing-policies/variables/), or
3357								// reference a standard Kubernetes Secret
3358								// elsewhere in the cluster by specifying it in the format
3359								// "k8s://<namespace>/<secret_name>".
3360								// The named Secret must specify a key `cosign.pub` containing the
3361								// public key used for
3362								// verification, (see
3363								// https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
3364								// When multiple keys are specified each key is processed as a
3365								// separate staticKey entry
3366								// (.attestors[*].entries.keys) within the set of attestors and
3367								// the count is applied across the keys.
3368								"publicKeys"?: string
3369
3370								// Rekor provides configuration for the Rekor transparency log
3371								// service. If an empty object
3372								// is provided the public instance of Rekor
3373								// (https://rekor.sigstore.dev) is used.
3374								"rekor"?: {
3375									// IgnoreTlog skips transparency log verification.
3376									"ignoreTlog"?: bool
3377
3378									// RekorPubKey is an optional PEM-encoded public key to use for a
3379									// custom Rekor.
3380									// If set, this will be used to validate transparency log
3381									// signatures from a custom Rekor.
3382									"pubkey"?: string
3383
3384									// URL is the address of the transparency log. Defaults to the
3385									// public Rekor log instance https://rekor.sigstore.dev.
3386									"url"?: string
3387								}
3388
3389								// Reference to a Secret resource that contains a public key
3390								"secret"?: {
3391									// Name of the secret. The provided secret must contain a key
3392									// named cosign.pub.
3393									"name"!: string
3394
3395									// Namespace name where the Secret exists.
3396									"namespace"!: string
3397								}
3398
3399								// Deprecated. Use attestor.signatureAlgorithm instead.
3400								"signatureAlgorithm"?: string
3401							}
3402
3403							// Repository is an optional alternate OCI repository to use for
3404							// signatures and attestations that match this rule.
3405							// If specified Repository will override other OCI image
3406							// repository locations for this Attestor.
3407							"repository"?: string
3408
3409							// Specify signature algorithm for public keys. Supported values
3410							// are sha224, sha256, sha384 and sha512.
3411							"signatureAlgorithm"?: string
3412						}]
3413					}]
3414
3415					// Conditions are used to verify attributes within a Predicate. If
3416					// no Conditions are specified
3417					// the attestation check is satisfied as long there are predicates
3418					// that match the predicate type.
3419					"conditions"?: [...{
3420						// AllConditions enable variable-based conditional rule execution.
3421						// This is useful for
3422						// finer control of when an rule is applied. A condition can
3423						// reference object data
3424						// using JMESPath notation.
3425						// Here, all of the conditions need to pass
3426						"all"?: [...{
3427							// Key is the context entry (using JMESPath) for conditional rule
3428							// evaluation.
3429							"key"?: null | bool | number | string | [...] | {
3430								...
3431							}
3432
3433							// Message is an optional display message
3434							"message"?: string
3435
3436							// Operator is the conditional operation to perform. Valid
3437							// operators are:
3438							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
3439							// GreaterThanOrEquals,
3440							// GreaterThan, LessThanOrEquals, LessThan,
3441							// DurationGreaterThanOrEquals, DurationGreaterThan,
3442							// DurationLessThanOrEquals, DurationLessThan
3443							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
3444
3445							// Value is the conditional value, or set of values. The values
3446							// can be fixed set
3447							// or can be variables declared using JMESPath.
3448							"value"?: null | bool | number | string | [...] | {
3449								...
3450							}
3451						}]
3452
3453						// AnyConditions enable variable-based conditional rule execution.
3454						// This is useful for
3455						// finer control of when an rule is applied. A condition can
3456						// reference object data
3457						// using JMESPath notation.
3458						// Here, at least one of the conditions need to pass
3459						"any"?: [...{
3460							// Key is the context entry (using JMESPath) for conditional rule
3461							// evaluation.
3462							"key"?: null | bool | number | string | [...] | {
3463								...
3464							}
3465
3466							// Message is an optional display message
3467							"message"?: string
3468
3469							// Operator is the conditional operation to perform. Valid
3470							// operators are:
3471							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
3472							// GreaterThanOrEquals,
3473							// GreaterThan, LessThanOrEquals, LessThan,
3474							// DurationGreaterThanOrEquals, DurationGreaterThan,
3475							// DurationLessThanOrEquals, DurationLessThan
3476							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
3477
3478							// Value is the conditional value, or set of values. The values
3479							// can be fixed set
3480							// or can be variables declared using JMESPath.
3481							"value"?: null | bool | number | string | [...] | {
3482								...
3483							}
3484						}]
3485					}]
3486
3487					// Name is the variable name.
3488					"name"?: string
3489
3490					// Deprecated in favour of 'Type', to be removed soon
3491					"predicateType"?: string
3492
3493					// Type defines the type of attestation contained within the
3494					// Statement.
3495					"type"?: string
3496				}]
3497
3498				// Attestors specified the required attestors (i.e. authorities)
3499				"attestors"?: [...{
3500					// Count specifies the required number of entries that must match.
3501					// If the count is null, all entries must match
3502					// (a logical AND). If the count is 1, at least one entry must
3503					// match (a logical OR). If the count contains a
3504					// value N, then N must be less than or equal to the size of
3505					// entries, and at least N entries must match.
3506					"count"?: int & >=1
3507
3508					// Entries contains the available attestors. An attestor can be a
3509					// static key,
3510					// attributes for keyless verification, or a nested attestor
3511					// declaration.
3512					"entries"?: [...{
3513						// Annotations are used for image verification.
3514						// Every specified key-value pair must exist and match in the
3515						// verified payload.
3516						// The payload may contain other key-value pairs.
3517						"annotations"?: [string]: string
3518
3519						// Attestor is a nested set of Attestor used to specify a more
3520						// complex set of match authorities.
3521						"attestor"?: null | bool | number | string | [...] | {
3522							...
3523						}
3524
3525						// Certificates specifies one or more certificates.
3526						"certificates"?: {
3527							// Cert is an optional PEM-encoded public certificate.
3528							"cert"?: string
3529
3530							// CertChain is an optional PEM encoded set of certificates used
3531							// to verify.
3532							"certChain"?: string
3533
3534							// CTLog (certificate timestamp log) provides a configuration for
3535							// validation of Signed Certificate
3536							// Timestamps (SCTs). If the value is unset, the default behavior
3537							// by Cosign is used.
3538							"ctlog"?: {
3539								// IgnoreSCT defines whether to use the Signed Certificate
3540								// Timestamp (SCT) log to check for a certificate
3541								// timestamp. Default is false. Set to true if this was opted out
3542								// during signing.
3543								"ignoreSCT"?: bool
3544
3545								// PubKey, if set, is used to validate SCTs against a custom
3546								// source.
3547								"pubkey"?: string
3548
3549								// TSACertChain, if set, is the PEM-encoded certificate chain file
3550								// for the RFC3161 timestamp authority. Must
3551								// contain the root CA certificate. Optionally may contain
3552								// intermediate CA certificates, and
3553								// may contain the leaf TSA certificate if not present in the
3554								// timestamurce.
3555								"tsaCertChain"?: string
3556							}
3557
3558							// Rekor provides configuration for the Rekor transparency log
3559							// service. If an empty object
3560							// is provided the public instance of Rekor
3561							// (https://rekor.sigstore.dev) is used.
3562							"rekor"?: {
3563								// IgnoreTlog skips transparency log verification.
3564								"ignoreTlog"?: bool
3565
3566								// RekorPubKey is an optional PEM-encoded public key to use for a
3567								// custom Rekor.
3568								// If set, this will be used to validate transparency log
3569								// signatures from a custom Rekor.
3570								"pubkey"?: string
3571
3572								// URL is the address of the transparency log. Defaults to the
3573								// public Rekor log instance https://rekor.sigstore.dev.
3574								"url"?: string
3575							}
3576						}
3577
3578						// Keyless is a set of attribute used to verify a Sigstore keyless
3579						// attestor.
3580						// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
3581						"keyless"?: {
3582							// AdditionalExtensions are certificate-extensions used for
3583							// keyless signing.
3584							"additionalExtensions"?: [string]: string
3585
3586							// CTLog (certificate timestamp log) provides a configuration for
3587							// validation of Signed Certificate
3588							// Timestamps (SCTs). If the value is unset, the default behavior
3589							// by Cosign is used.
3590							"ctlog"?: {
3591								// IgnoreSCT defines whether to use the Signed Certificate
3592								// Timestamp (SCT) log to check for a certificate
3593								// timestamp. Default is false. Set to true if this was opted out
3594								// during signing.
3595								"ignoreSCT"?: bool
3596
3597								// PubKey, if set, is used to validate SCTs against a custom
3598								// source.
3599								"pubkey"?: string
3600
3601								// TSACertChain, if set, is the PEM-encoded certificate chain file
3602								// for the RFC3161 timestamp authority. Must
3603								// contain the root CA certificate. Optionally may contain
3604								// intermediate CA certificates, and
3605								// may contain the leaf TSA certificate if not present in the
3606								// timestamurce.
3607								"tsaCertChain"?: string
3608							}
3609
3610							// Issuer is the certificate issuer used for keyless signing.
3611							"issuer"?: string
3612
3613							// IssuerRegExp is the regular expression to match certificate
3614							// issuer used for keyless signing.
3615							"issuerRegExp"?: string
3616
3617							// Rekor provides configuration for the Rekor transparency log
3618							// service. If an empty object
3619							// is provided the public instance of Rekor
3620							// (https://rekor.sigstore.dev) is used.
3621							"rekor"?: {
3622								// IgnoreTlog skips transparency log verification.
3623								"ignoreTlog"?: bool
3624
3625								// RekorPubKey is an optional PEM-encoded public key to use for a
3626								// custom Rekor.
3627								// If set, this will be used to validate transparency log
3628								// signatures from a custom Rekor.
3629								"pubkey"?: string
3630
3631								// URL is the address of the transparency log. Defaults to the
3632								// public Rekor log instance https://rekor.sigstore.dev.
3633								"url"?: string
3634							}
3635
3636							// Roots is an optional set of PEM encoded trusted root
3637							// certificates.
3638							// If not provided, the system roots are used.
3639							"roots"?: string
3640
3641							// Subject is the verified identity used for keyless signing, for
3642							// example the email address.
3643							"subject"?: string
3644
3645							// SubjectRegExp is the regular expression to match identity used
3646							// for keyless signing, for example the email address.
3647							"subjectRegExp"?: string
3648						}
3649
3650						// Keys specifies one or more public keys.
3651						"keys"?: {
3652							// CTLog (certificate timestamp log) provides a configuration for
3653							// validation of Signed Certificate
3654							// Timestamps (SCTs). If the value is unset, the default behavior
3655							// by Cosign is used.
3656							"ctlog"?: {
3657								// IgnoreSCT defines whether to use the Signed Certificate
3658								// Timestamp (SCT) log to check for a certificate
3659								// timestamp. Default is false. Set to true if this was opted out
3660								// during signing.
3661								"ignoreSCT"?: bool
3662
3663								// PubKey, if set, is used to validate SCTs against a custom
3664								// source.
3665								"pubkey"?: string
3666
3667								// TSACertChain, if set, is the PEM-encoded certificate chain file
3668								// for the RFC3161 timestamp authority. Must
3669								// contain the root CA certificate. Optionally may contain
3670								// intermediate CA certificates, and
3671								// may contain the leaf TSA certificate if not present in the
3672								// timestamurce.
3673								"tsaCertChain"?: string
3674							}
3675
3676							// KMS provides the URI to the public key stored in a Key
3677							// Management System. See:
3678							// https://github.com/sigstore/cosign/blob/main/KMS.md
3679							"kms"?: string
3680
3681							// Keys is a set of X.509 public keys used to verify image
3682							// signatures. The keys can be directly
3683							// specified or can be a variable reference to a key specified in
3684							// a ConfigMap (see
3685							// https://kyverno.io/docs/writing-policies/variables/), or
3686							// reference a standard Kubernetes Secret
3687							// elsewhere in the cluster by specifying it in the format
3688							// "k8s://<namespace>/<secret_name>".
3689							// The named Secret must specify a key `cosign.pub` containing the
3690							// public key used for
3691							// verification, (see
3692							// https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
3693							// When multiple keys are specified each key is processed as a
3694							// separate staticKey entry
3695							// (.attestors[*].entries.keys) within the set of attestors and
3696							// the count is applied across the keys.
3697							"publicKeys"?: string
3698
3699							// Rekor provides configuration for the Rekor transparency log
3700							// service. If an empty object
3701							// is provided the public instance of Rekor
3702							// (https://rekor.sigstore.dev) is used.
3703							"rekor"?: {
3704								// IgnoreTlog skips transparency log verification.
3705								"ignoreTlog"?: bool
3706
3707								// RekorPubKey is an optional PEM-encoded public key to use for a
3708								// custom Rekor.
3709								// If set, this will be used to validate transparency log
3710								// signatures from a custom Rekor.
3711								"pubkey"?: string
3712
3713								// URL is the address of the transparency log. Defaults to the
3714								// public Rekor log instance https://rekor.sigstore.dev.
3715								"url"?: string
3716							}
3717
3718							// Reference to a Secret resource that contains a public key
3719							"secret"?: {
3720								// Name of the secret. The provided secret must contain a key
3721								// named cosign.pub.
3722								"name"!: string
3723
3724								// Namespace name where the Secret exists.
3725								"namespace"!: string
3726							}
3727
3728							// Deprecated. Use attestor.signatureAlgorithm instead.
3729							"signatureAlgorithm"?: string
3730						}
3731
3732						// Repository is an optional alternate OCI repository to use for
3733						// signatures and attestations that match this rule.
3734						// If specified Repository will override other OCI image
3735						// repository locations for this Attestor.
3736						"repository"?: string
3737
3738						// Specify signature algorithm for public keys. Supported values
3739						// are sha224, sha256, sha384 and sha512.
3740						"signatureAlgorithm"?: string
3741					}]
3742				}]
3743
3744				// Allowed values are Audit or Enforce.
3745				"failureAction"?: "Audit" | "Enforce"
3746
3747				// ImageReferences is a list of matching image reference patterns.
3748				// At least one pattern in the
3749				// list must match the image for the rule to apply. Each image
3750				// reference consists of a registry
3751				// address (defaults to docker.io), repository, image, and tag
3752				// (defaults to latest).
3753				// Wildcards ('*' and '?') are allowed. See:
3754				// https://kubernetes.io/docs/concepts/containers/images.
3755				"imageReferences"?: [...string]
3756
3757				// ImageRegistryCredentials provides credentials that will be used
3758				// for authentication with registry
3759				"imageRegistryCredentials"?: {
3760					// AllowInsecureRegistry allows insecure access to a registry.
3761					"allowInsecureRegistry"?: bool
3762
3763					// Providers specifies a list of OCI Registry names, whose
3764					// authentication providers are provided.
3765					// It can be of one of these values:
3766					// default,google,azure,amazon,github.
3767					"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
3768
3769					// Secrets specifies a list of secrets that are provided for
3770					// credentials.
3771					// Secrets must live in the Kyverno namespace.
3772					"secrets"?: [...string]
3773				}
3774
3775				// MutateDigest enables replacement of image tags with digests.
3776				// Defaults to true.
3777				"mutateDigest"?: bool
3778
3779				// Repository is an optional alternate OCI repository to use for
3780				// image signatures and attestations that match this rule.
3781				// If specified Repository will override the default OCI image
3782				// repository configured for the installation.
3783				// The repository can also be overridden per Attestor or
3784				// Attestation.
3785				"repository"?: string
3786
3787				// Required validates that images are verified i.e. have matched
3788				// passed a signature or attestation check.
3789				"required"?: bool
3790
3791				// SkipImageReferences is a list of matching image reference
3792				// patterns that should be skipped.
3793				// At least one pattern in the list must match the image for the
3794				// rule to be skipped. Each image reference
3795				// consists of a registry address (defaults to docker.io),
3796				// repository, image, and tag (defaults to latest).
3797				// Wildcards ('*' and '?') are allowed. See:
3798				// https://kubernetes.io/docs/concepts/containers/images.
3799				"skipImageReferences"?: [...string]
3800
3801				// Type specifies the method of signature validation. The allowed
3802				// options
3803				// are Cosign and Notary. By default Cosign is used if a type is
3804				// not specified.
3805				"type"?: "Cosign" | "SigstoreBundle" | "Notary"
3806
3807				// UseCache enables caching of image verify responses for this
3808				// rule
3809				"useCache"?: bool
3810
3811				// Validation checks conditions across multiple image
3812				// verification attestations or context entries
3813				"validate"?: {
3814					// Deny defines conditions used to pass or fail a validation rule.
3815					"deny"?: {
3816						// Multiple conditions can be declared under an `any` or `all`
3817						// statement. A direct list
3818						// of conditions (without `any` or `all` statements) is also
3819						// supported for backwards compatibility
3820						// but will be deprecated in the next major release.
3821						// See:
3822						// https://kyverno.io/docs/writing-policies/validate/#deny-rules
3823						"conditions"?: null | bool | number | string | [...] | {
3824							...
3825						}
3826					}
3827
3828					// Message specifies a custom message to be displayed on failure.
3829					"message"?: string
3830				}
3831
3832				// VerifyDigest validates that images have a digest.
3833				"verifyDigest"?: bool
3834			}]
3835		}]
3836
3837		// Deprecated.
3838		"schemaValidation"?: bool
3839
3840		// UseServerSideApply controls whether to use server-side apply
3841		// for generate rules
3842		// If is set to "true" create & update for generate rules will use
3843		// apply instead of create/update.
3844		// Defaults to "false" if not specified.
3845		"useServerSideApply"?: bool
3846
3847		// Deprecated, use validationFailureAction under the validate rule
3848		// instead.
3849		"validationFailureAction"?: "audit" | "enforce" | "Audit" | "Enforce"
3850
3851		// Deprecated, use validationFailureActionOverrides under the
3852		// validate rule instead.
3853		"validationFailureActionOverrides"?: [...{
3854			// ValidationFailureAction defines the policy validation failure
3855			// action
3856			"action"?: "audit" | "enforce" | "Audit" | "Enforce"
3857
3858			// A label selector is a label query over a set of resources. The
3859			// result of matchLabels and
3860			// matchExpressions are ANDed. An empty label selector matches all
3861			// objects. A null
3862			// label selector matches no objects.
3863			"namespaceSelector"?: {
3864				// matchExpressions is a list of label selector requirements. The
3865				// requirements are ANDed.
3866				"matchExpressions"?: [...{
3867					// key is the label key that the selector applies to.
3868					"key"!: string
3869
3870					// operator represents a key's relationship to a set of values.
3871					// Valid operators are In, NotIn, Exists and DoesNotExist.
3872					"operator"!: string
3873
3874					// values is an array of string values. If the operator is In or
3875					// NotIn,
3876					// the values array must be non-empty. If the operator is Exists
3877					// or DoesNotExist,
3878					// the values array must be empty. This array is replaced during a
3879					// strategic
3880					// merge patch.
3881					"values"?: [...string]
3882				}]
3883
3884				// matchLabels is a map of {key,value} pairs. A single {key,value}
3885				// in the matchLabels
3886				// map is equivalent to an element of matchExpressions, whose key
3887				// field is "key", the
3888				// operator is "In", and the values array contains only "value".
3889				// The requirements are ANDed.
3890				"matchLabels"?: {
3891					[string]: string
3892				}
3893			}
3894			"namespaces"?: [...string]
3895		}]
3896
3897		// WebhookConfiguration specifies the custom configuration for
3898		// Kubernetes admission webhookconfiguration.
3899		"webhookConfiguration"?: {
3900			// FailurePolicy defines how unexpected policy errors and webhook
3901			// response timeout errors are handled.
3902			// Rules within the same policy share the same failure behavior.
3903			// This field should not be accessed directly, instead
3904			// `GetFailurePolicy()` should be used.
3905			// Allowed values are Ignore or Fail. Defaults to Fail.
3906			"failurePolicy"?: "Ignore" | "Fail"
3907
3908			// MatchCondition configures admission webhook matchConditions.
3909			// Requires Kubernetes 1.27 or later.
3910			"matchConditions"?: [...{
3911				// Expression represents the expression which will be evaluated by
3912				// CEL. Must evaluate to bool.
3913				// CEL expressions have access to the contents of the
3914				// AdmissionRequest and Authorizer, organized into CEL variables:
3915				//
3916				// 'object' - The object from the incoming request. The value is
3917				// null for DELETE requests.
3918				// 'oldObject' - The existing object. The value is null for CREATE
3919				// requests.
3920				// 'request' - Attributes of the admission
3921				// request(/pkg/apis/admission/types.go#AdmissionRequest).
3922				// 'authorizer' - A CEL Authorizer. May be used to perform
3923				// authorization checks for the principal (user or service
3924				// account) of the request.
3925				// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
3926				// 'authorizer.requestResource' - A CEL ResourceCheck constructed
3927				// from the 'authorizer' and configured with the
3928				// request resource.
3929				// Documentation on CEL:
3930				// https://kubernetes.io/docs/reference/using-api/cel/
3931				//
3932				// Required.
3933				"expression"!: string
3934
3935				// Name is an identifier for this match condition, used for
3936				// strategic merging of MatchConditions,
3937				// as well as providing an identifier for logging purposes. A good
3938				// name should be descriptive of
3939				// the associated expression.
3940				// Name must be a qualified name consisting of alphanumeric
3941				// characters, '-', '_' or '.', and
3942				// must start and end with an alphanumeric character (e.g.
3943				// 'MyName', or 'my.name', or
3944				// '123-abc', regex used for validation is
3945				// '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
3946				// optional DNS subdomain prefix and '/' (e.g.
3947				// 'example.com/MyName')
3948				//
3949				// Required.
3950				"name"!: string
3951			}]
3952
3953			// TimeoutSeconds specifies the maximum time in seconds allowed to
3954			// apply this policy.
3955			// After the configured time expires, the admission request may
3956			// fail, or may simply ignore the policy results,
3957			// based on the failure policy. The default timeout is 10s, the
3958			// value must be between 1 and 30 seconds.
3959			"timeoutSeconds"?: int32 & int
3960		}
3961
3962		// Deprecated, use webhookTimeoutSeconds under
3963		// webhookConfiguration instead.
3964		"webhookTimeoutSeconds"?: int32 & int
3965	}
3966
3967	// Status contains policy runtime data.
3968	"status"?: {
3969		// AutogenStatus contains autogen status information.
3970		"autogen"?: {
3971			// Rules is a list of Rule instances. It contains auto generated
3972			// rules added for pod controllers
3973			"rules"?: [...{
3974				// CELPreconditions are used to determine if a policy rule should
3975				// be applied by evaluating a
3976				// set of CEL conditions. It can only be used with the
3977				// validate.cel subrule
3978				"celPreconditions"?: [...{
3979					// Expression represents the expression which will be evaluated by
3980					// CEL. Must evaluate to bool.
3981					// CEL expressions have access to the contents of the
3982					// AdmissionRequest and Authorizer, organized into CEL variables:
3983					//
3984					// 'object' - The object from the incoming request. The value is
3985					// null for DELETE requests.
3986					// 'oldObject' - The existing object. The value is null for CREATE
3987					// requests.
3988					// 'request' - Attributes of the admission
3989					// request(/pkg/apis/admission/types.go#AdmissionRequest).
3990					// 'authorizer' - A CEL Authorizer. May be used to perform
3991					// authorization checks for the principal (user or service
3992					// account) of the request.
3993					// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
3994					// 'authorizer.requestResource' - A CEL ResourceCheck constructed
3995					// from the 'authorizer' and configured with the
3996					// request resource.
3997					// Documentation on CEL:
3998					// https://kubernetes.io/docs/reference/using-api/cel/
3999					//
4000					// Required.
4001					"expression"!: string
4002
4003					// Name is an identifier for this match condition, used for
4004					// strategic merging of MatchConditions,
4005					// as well as providing an identifier for logging purposes. A good
4006					// name should be descriptive of
4007					// the associated expression.
4008					// Name must be a qualified name consisting of alphanumeric
4009					// characters, '-', '_' or '.', and
4010					// must start and end with an alphanumeric character (e.g.
4011					// 'MyName', or 'my.name', or
4012					// '123-abc', regex used for validation is
4013					// '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
4014					// optional DNS subdomain prefix and '/' (e.g.
4015					// 'example.com/MyName')
4016					//
4017					// Required.
4018					"name"!: string
4019				}]
4020
4021				// Context defines variables and data sources that can be used
4022				// during rule execution.
4023				"context"?: [...matchN(1, [{
4024					"configMap"!: _
4025				}, {
4026					"apiCall"!: _
4027				}, {
4028					"imageRegistry"!: _
4029				}, {
4030					"variable"!: _
4031				}, {
4032					"globalReference"!: _
4033				}]) & {
4034					// APICall is an HTTP request to the Kubernetes API server, or
4035					// other JSON web service.
4036					// The data returned is stored in the context with the name for
4037					// the context entry.
4038					"apiCall"?: {
4039						// The data object specifies the POST data sent to the server.
4040						// Only applicable when the method field is set to POST.
4041						"data"?: [...{
4042							// Key is a unique identifier for the data value
4043							"key"!: string
4044
4045							// Value is the data value
4046							"value"!: null | bool | number | string | [...] | {
4047								...
4048							}
4049						}]
4050
4051						// Default is an optional arbitrary JSON object that the context
4052						// value is set to, if the apiCall returns error.
4053						"default"?: null | bool | number | string | [...] | {
4054							...
4055						}
4056
4057						// JMESPath is an optional JSON Match Expression that can be used
4058						// to
4059						// transform the JSON response returned from the server. For
4060						// example
4061						// a JMESPath of "items | length(@)" applied to the API server
4062						// response
4063						// for the URLPath "/apis/apps/v1/deployments" will return the
4064						// total count
4065						// of deployments across all namespaces.
4066						"jmesPath"?: string
4067
4068						// Method is the HTTP request type (GET or POST). Defaults to GET.
4069						"method"?: "GET" | "POST"
4070
4071						// Service is an API call to a JSON web service.
4072						// This is used for non-Kubernetes API server calls.
4073						// It's mutually exclusive with the URLPath field.
4074						"service"?: {
4075							// CABundle is a PEM encoded CA bundle which will be used to
4076							// validate
4077							// the server certificate.
4078							"caBundle"?: string
4079
4080							// Headers is a list of optional HTTP headers to be included in
4081							// the request.
4082							"headers"?: [...{
4083								// Key is the header key
4084								"key"!: string
4085
4086								// Value is the header value
4087								"value"!: string
4088							}]
4089
4090							// URL is the JSON web service URL. A typical form is
4091							// `https://{service}.{namespace}:{port}/{path}`.
4092							"url"!: string
4093						}
4094
4095						// URLPath is the URL path to be used in the HTTP GET or POST
4096						// request to the
4097						// Kubernetes API server (e.g. "/api/v1/namespaces" or
4098						// "/apis/apps/v1/deployments").
4099						// The format required is the same format used by the `kubectl get
4100						// --raw` command.
4101						// See
4102						// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
4103						// for details.
4104						// It's mutually exclusive with the Service field.
4105						"urlPath"?: string
4106					}
4107
4108					// ConfigMap is the ConfigMap reference.
4109					"configMap"?: {
4110						// Name is the ConfigMap name.
4111						"name"!: string
4112
4113						// Namespace is the ConfigMap namespace.
4114						"namespace"?: string
4115					}
4116
4117					// GlobalContextEntryReference is a reference to a cached global
4118					// context entry.
4119					"globalReference"?: {
4120						// JMESPath is an optional JSON Match Expression that can be used
4121						// to
4122						// transform the JSON response returned from the server. For
4123						// example
4124						// a JMESPath of "items | length(@)" applied to the API server
4125						// response
4126						// for the URLPath "/apis/apps/v1/deployments" will return the
4127						// total count
4128						// of deployments across all namespaces.
4129						"jmesPath"?: string
4130
4131						// Name of the global context entry
4132						"name"!: string
4133					}
4134
4135					// ImageRegistry defines requests to an OCI/Docker V2 registry to
4136					// fetch image
4137					// details.
4138					"imageRegistry"?: {
4139						// ImageRegistryCredentials provides credentials that will be used
4140						// for authentication with registry
4141						"imageRegistryCredentials"?: {
4142							// AllowInsecureRegistry allows insecure access to a registry.
4143							"allowInsecureRegistry"?: bool
4144
4145							// Providers specifies a list of OCI Registry names, whose
4146							// authentication providers are provided.
4147							// It can be of one of these values:
4148							// default,google,azure,amazon,github.
4149							"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
4150
4151							// Secrets specifies a list of secrets that are provided for
4152							// credentials.
4153							// Secrets must live in the Kyverno namespace.
4154							"secrets"?: [...string]
4155						}
4156
4157						// JMESPath is an optional JSON Match Expression that can be used
4158						// to
4159						// transform the ImageData struct returned as a result of
4160						// processing
4161						// the image reference.
4162						"jmesPath"?: string
4163
4164						// Reference is image reference to a container image in the
4165						// registry.
4166						// Example: ghcr.io/kyverno/kyverno:latest
4167						"reference"!: string
4168					}
4169
4170					// Name is the variable name.
4171					"name"!: string
4172
4173					// Variable defines an arbitrary JMESPath context variable that
4174					// can be defined inline.
4175					"variable"?: {
4176						// Default is an optional arbitrary JSON object that the variable
4177						// may take if the JMESPath
4178						// expression evaluates to nil
4179						"default"?: null | bool | number | string | [...] | {
4180							...
4181						}
4182
4183						// JMESPath is an optional JMESPath Expression that can be used to
4184						// transform the variable.
4185						"jmesPath"?: string
4186
4187						// Value is any arbitrary JSON object representable in YAML or
4188						// JSON form.
4189						"value"?: null | bool | number | string | [...] | {
4190							...
4191						}
4192					}
4193				}]
4194
4195				// ExcludeResources defines when this policy rule should not be
4196				// applied. The exclude
4197				// criteria can include resource information (e.g. kind, name,
4198				// namespace, labels)
4199				// and admission review request information like the name or role.
4200				"exclude"?: matchN(0, [null | bool | number | string | [...] | {
4201					"any"!: _
4202					"all"!: _
4203				}]) & {
4204					// All allows specifying resources which will be ANDed
4205					"all"?: [...{
4206						// ClusterRoles is the list of cluster-wide role names for the
4207						// user.
4208						"clusterRoles"?: [...string]
4209
4210						// ResourceDescription contains information about the resource
4211						// being created or modified.
4212						"resources"?: matchN(0, [null | bool | number | string | [...] | {
4213							"name"!:  _
4214							"names"!: _
4215						}]) & {
4216							// Annotations is a map of annotations (key-value pairs of type
4217							// string). Annotation keys
4218							// and values support the wildcard characters "*" (matches zero or
4219							// many characters) and
4220							// "?" (matches at least one character).
4221							"annotations"?: [string]: string
4222
4223							// Kinds is a list of resource kinds.
4224							"kinds"?: [...string]
4225
4226							// Name is the name of the resource. The name supports wildcard
4227							// characters
4228							// "*" (matches zero or many characters) and "?" (at least one
4229							// character).
4230							// NOTE: "Name" is being deprecated in favor of "Names".
4231							"name"?: string
4232
4233							// Names are the names of the resources. Each name supports
4234							// wildcard characters
4235							// "*" (matches zero or many characters) and "?" (at least one
4236							// character).
4237							"names"?: [...string]
4238
4239							// NamespaceSelector is a label selector for the resource
4240							// namespace. Label keys and values
4241							// in `matchLabels` support the wildcard characters `*` (matches
4242							// zero or many characters)
4243							// and `?` (matches one character).Wildcards allows writing label
4244							// selectors like
4245							// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
4246							// any key and value but
4247							// does not match an empty label set.
4248							"namespaceSelector"?: {
4249								// matchExpressions is a list of label selector requirements. The
4250								// requirements are ANDed.
4251								"matchExpressions"?: [...{
4252									// key is the label key that the selector applies to.
4253									"key"!: string
4254
4255									// operator represents a key's relationship to a set of values.
4256									// Valid operators are In, NotIn, Exists and DoesNotExist.
4257									"operator"!: string
4258
4259									// values is an array of string values. If the operator is In or
4260									// NotIn,
4261									// the values array must be non-empty. If the operator is Exists
4262									// or DoesNotExist,
4263									// the values array must be empty. This array is replaced during a
4264									// strategic
4265									// merge patch.
4266									"values"?: [...string]
4267								}]
4268
4269								// matchLabels is a map of {key,value} pairs. A single {key,value}
4270								// in the matchLabels
4271								// map is equivalent to an element of matchExpressions, whose key
4272								// field is "key", the
4273								// operator is "In", and the values array contains only "value".
4274								// The requirements are ANDed.
4275								"matchLabels"?: {
4276									[string]: string
4277								}
4278							}
4279
4280							// Namespaces is a list of namespaces names. Each name supports
4281							// wildcard characters
4282							// "*" (matches zero or many characters) and "?" (at least one
4283							// character).
4284							"namespaces"?: [...string]
4285
4286							// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
4287							// "DELETE"], which are used to match a specific action.
4288							"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
4289
4290							// Selector is a label selector. Label keys and values in
4291							// `matchLabels` support the wildcard
4292							// characters `*` (matches zero or many characters) and `?`
4293							// (matches one character).
4294							// Wildcards allows writing label selectors like
4295							// ["storage.k8s.io/*": "*"]. Note that
4296							// using ["*" : "*"] matches any key and value but does not match
4297							// an empty label set.
4298							"selector"?: {
4299								// matchExpressions is a list of label selector requirements. The
4300								// requirements are ANDed.
4301								"matchExpressions"?: [...{
4302									// key is the label key that the selector applies to.
4303									"key"!: string
4304
4305									// operator represents a key's relationship to a set of values.
4306									// Valid operators are In, NotIn, Exists and DoesNotExist.
4307									"operator"!: string
4308
4309									// values is an array of string values. If the operator is In or
4310									// NotIn,
4311									// the values array must be non-empty. If the operator is Exists
4312									// or DoesNotExist,
4313									// the values array must be empty. This array is replaced during a
4314									// strategic
4315									// merge patch.
4316									"values"?: [...string]
4317								}]
4318
4319								// matchLabels is a map of {key,value} pairs. A single {key,value}
4320								// in the matchLabels
4321								// map is equivalent to an element of matchExpressions, whose key
4322								// field is "key", the
4323								// operator is "In", and the values array contains only "value".
4324								// The requirements are ANDed.
4325								"matchLabels"?: {
4326									[string]: string
4327								}
4328							}
4329						}
4330
4331						// Roles is the list of namespaced role names for the user.
4332						"roles"?: [...string]
4333
4334						// Subjects is the list of subject names like users, user groups,
4335						// and service accounts.
4336						"subjects"?: [...{
4337							// APIGroup holds the API group of the referenced subject.
4338							// Defaults to "" for ServiceAccount subjects.
4339							// Defaults to "rbac.authorization.k8s.io" for User and Group
4340							// subjects.
4341							"apiGroup"?: string
4342
4343							// Kind of object being referenced. Values defined by this API
4344							// group are "User", "Group", and "ServiceAccount".
4345							// If the Authorizer does not recognized the kind value, the
4346							// Authorizer should report an error.
4347							"kind"!: string
4348
4349							// Name of the object being referenced.
4350							"name"!: string
4351
4352							// Namespace of the referenced object. If the object kind is
4353							// non-namespace, such as "User" or "Group", and this value is
4354							// not empty
4355							// the Authorizer should report an error.
4356							"namespace"?: string
4357						}]
4358					}]
4359
4360					// Any allows specifying resources which will be ORed
4361					"any"?: [...{
4362						// ClusterRoles is the list of cluster-wide role names for the
4363						// user.
4364						"clusterRoles"?: [...string]
4365
4366						// ResourceDescription contains information about the resource
4367						// being created or modified.
4368						"resources"?: matchN(0, [null | bool | number | string | [...] | {
4369							"name"!:  _
4370							"names"!: _
4371						}]) & {
4372							// Annotations is a map of annotations (key-value pairs of type
4373							// string). Annotation keys
4374							// and values support the wildcard characters "*" (matches zero or
4375							// many characters) and
4376							// "?" (matches at least one character).
4377							"annotations"?: [string]: string
4378
4379							// Kinds is a list of resource kinds.
4380							"kinds"?: [...string]
4381
4382							// Name is the name of the resource. The name supports wildcard
4383							// characters
4384							// "*" (matches zero or many characters) and "?" (at least one
4385							// character).
4386							// NOTE: "Name" is being deprecated in favor of "Names".
4387							"name"?: string
4388
4389							// Names are the names of the resources. Each name supports
4390							// wildcard characters
4391							// "*" (matches zero or many characters) and "?" (at least one
4392							// character).
4393							"names"?: [...string]
4394
4395							// NamespaceSelector is a label selector for the resource
4396							// namespace. Label keys and values
4397							// in `matchLabels` support the wildcard characters `*` (matches
4398							// zero or many characters)
4399							// and `?` (matches one character).Wildcards allows writing label
4400							// selectors like
4401							// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
4402							// any key and value but
4403							// does not match an empty label set.
4404							"namespaceSelector"?: {
4405								// matchExpressions is a list of label selector requirements. The
4406								// requirements are ANDed.
4407								"matchExpressions"?: [...{
4408									// key is the label key that the selector applies to.
4409									"key"!: string
4410
4411									// operator represents a key's relationship to a set of values.
4412									// Valid operators are In, NotIn, Exists and DoesNotExist.
4413									"operator"!: string
4414
4415									// values is an array of string values. If the operator is In or
4416									// NotIn,
4417									// the values array must be non-empty. If the operator is Exists
4418									// or DoesNotExist,
4419									// the values array must be empty. This array is replaced during a
4420									// strategic
4421									// merge patch.
4422									"values"?: [...string]
4423								}]
4424
4425								// matchLabels is a map of {key,value} pairs. A single {key,value}
4426								// in the matchLabels
4427								// map is equivalent to an element of matchExpressions, whose key
4428								// field is "key", the
4429								// operator is "In", and the values array contains only "value".
4430								// The requirements are ANDed.
4431								"matchLabels"?: {
4432									[string]: string
4433								}
4434							}
4435
4436							// Namespaces is a list of namespaces names. Each name supports
4437							// wildcard characters
4438							// "*" (matches zero or many characters) and "?" (at least one
4439							// character).
4440							"namespaces"?: [...string]
4441
4442							// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
4443							// "DELETE"], which are used to match a specific action.
4444							"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
4445
4446							// Selector is a label selector. Label keys and values in
4447							// `matchLabels` support the wildcard
4448							// characters `*` (matches zero or many characters) and `?`
4449							// (matches one character).
4450							// Wildcards allows writing label selectors like
4451							// ["storage.k8s.io/*": "*"]. Note that
4452							// using ["*" : "*"] matches any key and value but does not match
4453							// an empty label set.
4454							"selector"?: {
4455								// matchExpressions is a list of label selector requirements. The
4456								// requirements are ANDed.
4457								"matchExpressions"?: [...{
4458									// key is the label key that the selector applies to.
4459									"key"!: string
4460
4461									// operator represents a key's relationship to a set of values.
4462									// Valid operators are In, NotIn, Exists and DoesNotExist.
4463									"operator"!: string
4464
4465									// values is an array of string values. If the operator is In or
4466									// NotIn,
4467									// the values array must be non-empty. If the operator is Exists
4468									// or DoesNotExist,
4469									// the values array must be empty. This array is replaced during a
4470									// strategic
4471									// merge patch.
4472									"values"?: [...string]
4473								}]
4474
4475								// matchLabels is a map of {key,value} pairs. A single {key,value}
4476								// in the matchLabels
4477								// map is equivalent to an element of matchExpressions, whose key
4478								// field is "key", the
4479								// operator is "In", and the values array contains only "value".
4480								// The requirements are ANDed.
4481								"matchLabels"?: {
4482									[string]: string
4483								}
4484							}
4485						}
4486
4487						// Roles is the list of namespaced role names for the user.
4488						"roles"?: [...string]
4489
4490						// Subjects is the list of subject names like users, user groups,
4491						// and service accounts.
4492						"subjects"?: [...{
4493							// APIGroup holds the API group of the referenced subject.
4494							// Defaults to "" for ServiceAccount subjects.
4495							// Defaults to "rbac.authorization.k8s.io" for User and Group
4496							// subjects.
4497							"apiGroup"?: string
4498
4499							// Kind of object being referenced. Values defined by this API
4500							// group are "User", "Group", and "ServiceAccount".
4501							// If the Authorizer does not recognized the kind value, the
4502							// Authorizer should report an error.
4503							"kind"!: string
4504
4505							// Name of the object being referenced.
4506							"name"!: string
4507
4508							// Namespace of the referenced object. If the object kind is
4509							// non-namespace, such as "User" or "Group", and this value is
4510							// not empty
4511							// the Authorizer should report an error.
4512							"namespace"?: string
4513						}]
4514					}]
4515
4516					// ClusterRoles is the list of cluster-wide role names for the
4517					// user.
4518					"clusterRoles"?: [...string]
4519
4520					// ResourceDescription contains information about the resource
4521					// being created or modified.
4522					// Requires at least one tag to be specified when under
4523					// MatchResources.
4524					// Specifying ResourceDescription directly under match is being
4525					// deprecated.
4526					// Please specify under "any" or "all" instead.
4527					"resources"?: matchN(0, [null | bool | number | string | [...] | {
4528						"name"!:  _
4529						"names"!: _
4530					}]) & {
4531						// Annotations is a map of annotations (key-value pairs of type
4532						// string). Annotation keys
4533						// and values support the wildcard characters "*" (matches zero or
4534						// many characters) and
4535						// "?" (matches at least one character).
4536						"annotations"?: [string]: string
4537
4538						// Kinds is a list of resource kinds.
4539						"kinds"?: [...string]
4540
4541						// Name is the name of the resource. The name supports wildcard
4542						// characters
4543						// "*" (matches zero or many characters) and "?" (at least one
4544						// character).
4545						// NOTE: "Name" is being deprecated in favor of "Names".
4546						"name"?: string
4547
4548						// Names are the names of the resources. Each name supports
4549						// wildcard characters
4550						// "*" (matches zero or many characters) and "?" (at least one
4551						// character).
4552						"names"?: [...string]
4553
4554						// NamespaceSelector is a label selector for the resource
4555						// namespace. Label keys and values
4556						// in `matchLabels` support the wildcard characters `*` (matches
4557						// zero or many characters)
4558						// and `?` (matches one character).Wildcards allows writing label
4559						// selectors like
4560						// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
4561						// any key and value but
4562						// does not match an empty label set.
4563						"namespaceSelector"?: {
4564							// matchExpressions is a list of label selector requirements. The
4565							// requirements are ANDed.
4566							"matchExpressions"?: [...{
4567								// key is the label key that the selector applies to.
4568								"key"!: string
4569
4570								// operator represents a key's relationship to a set of values.
4571								// Valid operators are In, NotIn, Exists and DoesNotExist.
4572								"operator"!: string
4573
4574								// values is an array of string values. If the operator is In or
4575								// NotIn,
4576								// the values array must be non-empty. If the operator is Exists
4577								// or DoesNotExist,
4578								// the values array must be empty. This array is replaced during a
4579								// strategic
4580								// merge patch.
4581								"values"?: [...string]
4582							}]
4583
4584							// matchLabels is a map of {key,value} pairs. A single {key,value}
4585							// in the matchLabels
4586							// map is equivalent to an element of matchExpressions, whose key
4587							// field is "key", the
4588							// operator is "In", and the values array contains only "value".
4589							// The requirements are ANDed.
4590							"matchLabels"?: {
4591								[string]: string
4592							}
4593						}
4594
4595						// Namespaces is a list of namespaces names. Each name supports
4596						// wildcard characters
4597						// "*" (matches zero or many characters) and "?" (at least one
4598						// character).
4599						"namespaces"?: [...string]
4600
4601						// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
4602						// "DELETE"], which are used to match a specific action.
4603						"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
4604
4605						// Selector is a label selector. Label keys and values in
4606						// `matchLabels` support the wildcard
4607						// characters `*` (matches zero or many characters) and `?`
4608						// (matches one character).
4609						// Wildcards allows writing label selectors like
4610						// ["storage.k8s.io/*": "*"]. Note that
4611						// using ["*" : "*"] matches any key and value but does not match
4612						// an empty label set.
4613						"selector"?: {
4614							// matchExpressions is a list of label selector requirements. The
4615							// requirements are ANDed.
4616							"matchExpressions"?: [...{
4617								// key is the label key that the selector applies to.
4618								"key"!: string
4619
4620								// operator represents a key's relationship to a set of values.
4621								// Valid operators are In, NotIn, Exists and DoesNotExist.
4622								"operator"!: string
4623
4624								// values is an array of string values. If the operator is In or
4625								// NotIn,
4626								// the values array must be non-empty. If the operator is Exists
4627								// or DoesNotExist,
4628								// the values array must be empty. This array is replaced during a
4629								// strategic
4630								// merge patch.
4631								"values"?: [...string]
4632							}]
4633
4634							// matchLabels is a map of {key,value} pairs. A single {key,value}
4635							// in the matchLabels
4636							// map is equivalent to an element of matchExpressions, whose key
4637							// field is "key", the
4638							// operator is "In", and the values array contains only "value".
4639							// The requirements are ANDed.
4640							"matchLabels"?: {
4641								[string]: string
4642							}
4643						}
4644					}
4645
4646					// Roles is the list of namespaced role names for the user.
4647					"roles"?: [...string]
4648
4649					// Subjects is the list of subject names like users, user groups,
4650					// and service accounts.
4651					"subjects"?: [...{
4652						// APIGroup holds the API group of the referenced subject.
4653						// Defaults to "" for ServiceAccount subjects.
4654						// Defaults to "rbac.authorization.k8s.io" for User and Group
4655						// subjects.
4656						"apiGroup"?: string
4657
4658						// Kind of object being referenced. Values defined by this API
4659						// group are "User", "Group", and "ServiceAccount".
4660						// If the Authorizer does not recognized the kind value, the
4661						// Authorizer should report an error.
4662						"kind"!: string
4663
4664						// Name of the object being referenced.
4665						"name"!: string
4666
4667						// Namespace of the referenced object. If the object kind is
4668						// non-namespace, such as "User" or "Group", and this value is
4669						// not empty
4670						// the Authorizer should report an error.
4671						"namespace"?: string
4672					}]
4673				}
4674
4675				// Generation is used to create new resources.
4676				"generate"?: {
4677					// APIVersion specifies resource apiVersion.
4678					"apiVersion"?: string
4679
4680					// Clone specifies the source resource used to populate each
4681					// generated resource.
4682					// At most one of Data or Clone can be specified. If neither are
4683					// provided, the generated
4684					// resource will be created with default data only.
4685					"clone"?: {
4686						// Name specifies name of the resource.
4687						"name"?: string
4688
4689						// Namespace specifies source resource namespace.
4690						"namespace"?: string
4691					}
4692
4693					// CloneList specifies the list of source resource used to
4694					// populate each generated resource.
4695					"cloneList"?: {
4696						// Kinds is a list of resource kinds.
4697						"kinds"?: [...string]
4698
4699						// Namespace specifies source resource namespace.
4700						"namespace"?: string
4701
4702						// Selector is a label selector. Label keys and values in
4703						// `matchLabels`.
4704						// wildcard characters are not supported.
4705						"selector"?: {
4706							// matchExpressions is a list of label selector requirements. The
4707							// requirements are ANDed.
4708							"matchExpressions"?: [...{
4709								// key is the label key that the selector applies to.
4710								"key"!: string
4711
4712								// operator represents a key's relationship to a set of values.
4713								// Valid operators are In, NotIn, Exists and DoesNotExist.
4714								"operator"!: string
4715
4716								// values is an array of string values. If the operator is In or
4717								// NotIn,
4718								// the values array must be non-empty. If the operator is Exists
4719								// or DoesNotExist,
4720								// the values array must be empty. This array is replaced during a
4721								// strategic
4722								// merge patch.
4723								"values"?: [...string]
4724							}]
4725
4726							// matchLabels is a map of {key,value} pairs. A single {key,value}
4727							// in the matchLabels
4728							// map is equivalent to an element of matchExpressions, whose key
4729							// field is "key", the
4730							// operator is "In", and the values array contains only "value".
4731							// The requirements are ANDed.
4732							"matchLabels"?: {
4733								[string]: string
4734							}
4735						}
4736					}
4737
4738					// Data provides the resource declaration used to populate each
4739					// generated resource.
4740					// At most one of Data or Clone must be specified. If neither are
4741					// provided, the generated
4742					// resource will be created with default data only.
4743					"data"?: null | bool | number | string | [...] | {
4744						...
4745					}
4746
4747					// ForEach applies generate rules to a list of sub-elements by
4748					// creating a context for each entry in the list and looping over
4749					// it to apply the specified logic.
4750					"foreach"?: [...{
4751						// APIVersion specifies resource apiVersion.
4752						"apiVersion"?: string
4753
4754						// Clone specifies the source resource used to populate each
4755						// generated resource.
4756						// At most one of Data or Clone can be specified. If neither are
4757						// provided, the generated
4758						// resource will be created with default data only.
4759						"clone"?: {
4760							// Name specifies name of the resource.
4761							"name"?: string
4762
4763							// Namespace specifies source resource namespace.
4764							"namespace"?: string
4765						}
4766
4767						// CloneList specifies the list of source resource used to
4768						// populate each generated resource.
4769						"cloneList"?: {
4770							// Kinds is a list of resource kinds.
4771							"kinds"?: [...string]
4772
4773							// Namespace specifies source resource namespace.
4774							"namespace"?: string
4775
4776							// Selector is a label selector. Label keys and values in
4777							// `matchLabels`.
4778							// wildcard characters are not supported.
4779							"selector"?: {
4780								// matchExpressions is a list of label selector requirements. The
4781								// requirements are ANDed.
4782								"matchExpressions"?: [...{
4783									// key is the label key that the selector applies to.
4784									"key"!: string
4785
4786									// operator represents a key's relationship to a set of values.
4787									// Valid operators are In, NotIn, Exists and DoesNotExist.
4788									"operator"!: string
4789
4790									// values is an array of string values. If the operator is In or
4791									// NotIn,
4792									// the values array must be non-empty. If the operator is Exists
4793									// or DoesNotExist,
4794									// the values array must be empty. This array is replaced during a
4795									// strategic
4796									// merge patch.
4797									"values"?: [...string]
4798								}]
4799
4800								// matchLabels is a map of {key,value} pairs. A single {key,value}
4801								// in the matchLabels
4802								// map is equivalent to an element of matchExpressions, whose key
4803								// field is "key", the
4804								// operator is "In", and the values array contains only "value".
4805								// The requirements are ANDed.
4806								"matchLabels"?: {
4807									[string]: string
4808								}
4809							}
4810						}
4811
4812						// Context defines variables and data sources that can be used
4813						// during rule execution.
4814						"context"?: [...matchN(1, [{
4815							"configMap"!: _
4816						}, {
4817							"apiCall"!: _
4818						}, {
4819							"imageRegistry"!: _
4820						}, {
4821							"variable"!: _
4822						}, {
4823							"globalReference"!: _
4824						}]) & {
4825							// APICall is an HTTP request to the Kubernetes API server, or
4826							// other JSON web service.
4827							// The data returned is stored in the context with the name for
4828							// the context entry.
4829							"apiCall"?: {
4830								// The data object specifies the POST data sent to the server.
4831								// Only applicable when the method field is set to POST.
4832								"data"?: [...{
4833									// Key is a unique identifier for the data value
4834									"key"!: string
4835
4836									// Value is the data value
4837									"value"!: null | bool | number | string | [...] | {
4838										...
4839									}
4840								}]
4841
4842								// Default is an optional arbitrary JSON object that the context
4843								// value is set to, if the apiCall returns error.
4844								"default"?: null | bool | number | string | [...] | {
4845									...
4846								}
4847
4848								// JMESPath is an optional JSON Match Expression that can be used
4849								// to
4850								// transform the JSON response returned from the server. For
4851								// example
4852								// a JMESPath of "items | length(@)" applied to the API server
4853								// response
4854								// for the URLPath "/apis/apps/v1/deployments" will return the
4855								// total count
4856								// of deployments across all namespaces.
4857								"jmesPath"?: string
4858
4859								// Method is the HTTP request type (GET or POST). Defaults to GET.
4860								"method"?: "GET" | "POST"
4861
4862								// Service is an API call to a JSON web service.
4863								// This is used for non-Kubernetes API server calls.
4864								// It's mutually exclusive with the URLPath field.
4865								"service"?: {
4866									// CABundle is a PEM encoded CA bundle which will be used to
4867									// validate
4868									// the server certificate.
4869									"caBundle"?: string
4870
4871									// Headers is a list of optional HTTP headers to be included in
4872									// the request.
4873									"headers"?: [...{
4874										// Key is the header key
4875										"key"!: string
4876
4877										// Value is the header value
4878										"value"!: string
4879									}]
4880
4881									// URL is the JSON web service URL. A typical form is
4882									// `https://{service}.{namespace}:{port}/{path}`.
4883									"url"!: string
4884								}
4885
4886								// URLPath is the URL path to be used in the HTTP GET or POST
4887								// request to the
4888								// Kubernetes API server (e.g. "/api/v1/namespaces" or
4889								// "/apis/apps/v1/deployments").
4890								// The format required is the same format used by the `kubectl get
4891								// --raw` command.
4892								// See
4893								// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
4894								// for details.
4895								// It's mutually exclusive with the Service field.
4896								"urlPath"?: string
4897							}
4898
4899							// ConfigMap is the ConfigMap reference.
4900							"configMap"?: {
4901								// Name is the ConfigMap name.
4902								"name"!: string
4903
4904								// Namespace is the ConfigMap namespace.
4905								"namespace"?: string
4906							}
4907
4908							// GlobalContextEntryReference is a reference to a cached global
4909							// context entry.
4910							"globalReference"?: {
4911								// JMESPath is an optional JSON Match Expression that can be used
4912								// to
4913								// transform the JSON response returned from the server. For
4914								// example
4915								// a JMESPath of "items | length(@)" applied to the API server
4916								// response
4917								// for the URLPath "/apis/apps/v1/deployments" will return the
4918								// total count
4919								// of deployments across all namespaces.
4920								"jmesPath"?: string
4921
4922								// Name of the global context entry
4923								"name"!: string
4924							}
4925
4926							// ImageRegistry defines requests to an OCI/Docker V2 registry to
4927							// fetch image
4928							// details.
4929							"imageRegistry"?: {
4930								// ImageRegistryCredentials provides credentials that will be used
4931								// for authentication with registry
4932								"imageRegistryCredentials"?: {
4933									// AllowInsecureRegistry allows insecure access to a registry.
4934									"allowInsecureRegistry"?: bool
4935
4936									// Providers specifies a list of OCI Registry names, whose
4937									// authentication providers are provided.
4938									// It can be of one of these values:
4939									// default,google,azure,amazon,github.
4940									"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
4941
4942									// Secrets specifies a list of secrets that are provided for
4943									// credentials.
4944									// Secrets must live in the Kyverno namespace.
4945									"secrets"?: [...string]
4946								}
4947
4948								// JMESPath is an optional JSON Match Expression that can be used
4949								// to
4950								// transform the ImageData struct returned as a result of
4951								// processing
4952								// the image reference.
4953								"jmesPath"?: string
4954
4955								// Reference is image reference to a container image in the
4956								// registry.
4957								// Example: ghcr.io/kyverno/kyverno:latest
4958								"reference"!: string
4959							}
4960
4961							// Name is the variable name.
4962							"name"!: string
4963
4964							// Variable defines an arbitrary JMESPath context variable that
4965							// can be defined inline.
4966							"variable"?: {
4967								// Default is an optional arbitrary JSON object that the variable
4968								// may take if the JMESPath
4969								// expression evaluates to nil
4970								"default"?: null | bool | number | string | [...] | {
4971									...
4972								}
4973
4974								// JMESPath is an optional JMESPath Expression that can be used to
4975								// transform the variable.
4976								"jmesPath"?: string
4977
4978								// Value is any arbitrary JSON object representable in YAML or
4979								// JSON form.
4980								"value"?: null | bool | number | string | [...] | {
4981									...
4982								}
4983							}
4984						}]
4985
4986						// Data provides the resource declaration used to populate each
4987						// generated resource.
4988						// At most one of Data or Clone must be specified. If neither are
4989						// provided, the generated
4990						// resource will be created with default data only.
4991						"data"?: null | bool | number | string | [...] | {
4992							...
4993						}
4994
4995						// Kind specifies resource kind.
4996						"kind"?: string
4997
4998						// List specifies a JMESPath expression that results in one or
4999						// more elements
5000						// to which the validation logic is applied.
5001						"list"?: string
5002
5003						// Name specifies the resource name.
5004						"name"?: string
5005
5006						// Namespace specifies resource namespace.
5007						"namespace"?: string
5008
5009						// AnyAllConditions are used to determine if a policy rule should
5010						// be applied by evaluating a
5011						// set of conditions. The declaration can contain nested `any` or
5012						// `all` statements.
5013						// See: https://kyverno.io/docs/writing-policies/preconditions/
5014						"preconditions"?: {
5015							// AllConditions enable variable-based conditional rule execution.
5016							// This is useful for
5017							// finer control of when an rule is applied. A condition can
5018							// reference object data
5019							// using JMESPath notation.
5020							// Here, all of the conditions need to pass
5021							"all"?: [...{
5022								// Key is the context entry (using JMESPath) for conditional rule
5023								// evaluation.
5024								"key"?: null | bool | number | string | [...] | {
5025									...
5026								}
5027
5028								// Message is an optional display message
5029								"message"?: string
5030
5031								// Operator is the conditional operation to perform. Valid
5032								// operators are:
5033								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
5034								// GreaterThanOrEquals,
5035								// GreaterThan, LessThanOrEquals, LessThan,
5036								// DurationGreaterThanOrEquals, DurationGreaterThan,
5037								// DurationLessThanOrEquals, DurationLessThan
5038								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
5039
5040								// Value is the conditional value, or set of values. The values
5041								// can be fixed set
5042								// or can be variables declared using JMESPath.
5043								"value"?: null | bool | number | string | [...] | {
5044									...
5045								}
5046							}]
5047
5048							// AnyConditions enable variable-based conditional rule execution.
5049							// This is useful for
5050							// finer control of when an rule is applied. A condition can
5051							// reference object data
5052							// using JMESPath notation.
5053							// Here, at least one of the conditions need to pass
5054							"any"?: [...{
5055								// Key is the context entry (using JMESPath) for conditional rule
5056								// evaluation.
5057								"key"?: null | bool | number | string | [...] | {
5058									...
5059								}
5060
5061								// Message is an optional display message
5062								"message"?: string
5063
5064								// Operator is the conditional operation to perform. Valid
5065								// operators are:
5066								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
5067								// GreaterThanOrEquals,
5068								// GreaterThan, LessThanOrEquals, LessThan,
5069								// DurationGreaterThanOrEquals, DurationGreaterThan,
5070								// DurationLessThanOrEquals, DurationLessThan
5071								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
5072
5073								// Value is the conditional value, or set of values. The values
5074								// can be fixed set
5075								// or can be variables declared using JMESPath.
5076								"value"?: null | bool | number | string | [...] | {
5077									...
5078								}
5079							}]
5080							...
5081						}
5082
5083						// UID specifies the resource uid.
5084						"uid"?: string
5085					}]
5086
5087					// GenerateExisting controls whether to trigger the rule in
5088					// existing resources
5089					// If is set to "true" the rule will be triggered and applied to
5090					// existing matched resources.
5091					"generateExisting"?: bool
5092
5093					// Kind specifies resource kind.
5094					"kind"?: string
5095
5096					// Name specifies the resource name.
5097					"name"?: string
5098
5099					// Namespace specifies resource namespace.
5100					"namespace"?: string
5101
5102					// OrphanDownstreamOnPolicyDelete controls whether generated
5103					// resources should be deleted when the rule that generated
5104					// them is deleted with synchronization enabled. This option is
5105					// only applicable to generate rules of the data type.
5106					// See
5107					// https://kyverno.io/docs/writing-policies/generate/#data-examples.
5108					// Defaults to "false" if not specified.
5109					"orphanDownstreamOnPolicyDelete"?: bool
5110
5111					// Synchronize controls if generated resources should be kept
5112					// in-sync with their source resource.
5113					// If Synchronize is set to "true" changes to generated resources
5114					// will be overwritten with resource
5115					// data from Data or the resource specified in the Clone
5116					// declaration.
5117					// Optional. Defaults to "false" if not specified.
5118					"synchronize"?: bool
5119
5120					// UID specifies the resource uid.
5121					"uid"?: string
5122				}
5123
5124				// ImageExtractors defines a mapping from kinds to
5125				// ImageExtractorConfigs.
5126				// This config is only valid for verifyImages rules.
5127				"imageExtractors"?: {
5128					[string]: [...{
5129						// JMESPath is an optional JMESPath expression to apply to the
5130						// image value.
5131						// This is useful when the extracted image begins with a prefix
5132						// like 'docker://'.
5133						// The 'trim_prefix' function may be used to trim the prefix:
5134						// trim_prefix(@, 'docker://').
5135						// Note - Image digest mutation may not be used when applying a
5136						// JMESPAth to an image.
5137						"jmesPath"?: string
5138
5139						// Key is an optional name of the field within 'path' that will be
5140						// used to uniquely identify an image.
5141						// Note - this field MUST be unique.
5142						"key"?: string
5143
5144						// Name is the entry the image will be available under
5145						// 'images.<name>' in the context.
5146						// If this field is not defined, image entries will appear under
5147						// 'images.custom'.
5148						"name"?: string
5149
5150						// Path is the path to the object containing the image field in a
5151						// custom resource.
5152						// It should be slash-separated. Each slash-separated key must be
5153						// a valid YAML key or a wildcard '*'.
5154						// Wildcard keys are expanded in case of arrays or objects.
5155						"path"!: string
5156
5157						// Value is an optional name of the field within 'path' that
5158						// points to the image URI.
5159						// This is useful when a custom 'key' is also defined.
5160						"value"?: string
5161					}]
5162				}
5163
5164				// MatchResources defines when this policy rule should be applied.
5165				// The match
5166				// criteria can include resource information (e.g. kind, name,
5167				// namespace, labels)
5168				// and admission review request information like the user name or
5169				// role.
5170				// At least one kind is required.
5171				"match"!: matchN(0, [null | bool | number | string | [...] | {
5172					"any"!: _
5173					"all"!: _
5174				}]) & {
5175					// All allows specifying resources which will be ANDed
5176					"all"?: [...{
5177						// ClusterRoles is the list of cluster-wide role names for the
5178						// user.
5179						"clusterRoles"?: [...string]
5180
5181						// ResourceDescription contains information about the resource
5182						// being created or modified.
5183						"resources"?: matchN(0, [null | bool | number | string | [...] | {
5184							"name"!:  _
5185							"names"!: _
5186						}]) & {
5187							// Annotations is a map of annotations (key-value pairs of type
5188							// string). Annotation keys
5189							// and values support the wildcard characters "*" (matches zero or
5190							// many characters) and
5191							// "?" (matches at least one character).
5192							"annotations"?: [string]: string
5193
5194							// Kinds is a list of resource kinds.
5195							"kinds"?: [...string]
5196
5197							// Name is the name of the resource. The name supports wildcard
5198							// characters
5199							// "*" (matches zero or many characters) and "?" (at least one
5200							// character).
5201							// NOTE: "Name" is being deprecated in favor of "Names".
5202							"name"?: string
5203
5204							// Names are the names of the resources. Each name supports
5205							// wildcard characters
5206							// "*" (matches zero or many characters) and "?" (at least one
5207							// character).
5208							"names"?: [...string]
5209
5210							// NamespaceSelector is a label selector for the resource
5211							// namespace. Label keys and values
5212							// in `matchLabels` support the wildcard characters `*` (matches
5213							// zero or many characters)
5214							// and `?` (matches one character).Wildcards allows writing label
5215							// selectors like
5216							// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
5217							// any key and value but
5218							// does not match an empty label set.
5219							"namespaceSelector"?: {
5220								// matchExpressions is a list of label selector requirements. The
5221								// requirements are ANDed.
5222								"matchExpressions"?: [...{
5223									// key is the label key that the selector applies to.
5224									"key"!: string
5225
5226									// operator represents a key's relationship to a set of values.
5227									// Valid operators are In, NotIn, Exists and DoesNotExist.
5228									"operator"!: string
5229
5230									// values is an array of string values. If the operator is In or
5231									// NotIn,
5232									// the values array must be non-empty. If the operator is Exists
5233									// or DoesNotExist,
5234									// the values array must be empty. This array is replaced during a
5235									// strategic
5236									// merge patch.
5237									"values"?: [...string]
5238								}]
5239
5240								// matchLabels is a map of {key,value} pairs. A single {key,value}
5241								// in the matchLabels
5242								// map is equivalent to an element of matchExpressions, whose key
5243								// field is "key", the
5244								// operator is "In", and the values array contains only "value".
5245								// The requirements are ANDed.
5246								"matchLabels"?: {
5247									[string]: string
5248								}
5249							}
5250
5251							// Namespaces is a list of namespaces names. Each name supports
5252							// wildcard characters
5253							// "*" (matches zero or many characters) and "?" (at least one
5254							// character).
5255							"namespaces"?: [...string]
5256
5257							// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
5258							// "DELETE"], which are used to match a specific action.
5259							"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
5260
5261							// Selector is a label selector. Label keys and values in
5262							// `matchLabels` support the wildcard
5263							// characters `*` (matches zero or many characters) and `?`
5264							// (matches one character).
5265							// Wildcards allows writing label selectors like
5266							// ["storage.k8s.io/*": "*"]. Note that
5267							// using ["*" : "*"] matches any key and value but does not match
5268							// an empty label set.
5269							"selector"?: {
5270								// matchExpressions is a list of label selector requirements. The
5271								// requirements are ANDed.
5272								"matchExpressions"?: [...{
5273									// key is the label key that the selector applies to.
5274									"key"!: string
5275
5276									// operator represents a key's relationship to a set of values.
5277									// Valid operators are In, NotIn, Exists and DoesNotExist.
5278									"operator"!: string
5279
5280									// values is an array of string values. If the operator is In or
5281									// NotIn,
5282									// the values array must be non-empty. If the operator is Exists
5283									// or DoesNotExist,
5284									// the values array must be empty. This array is replaced during a
5285									// strategic
5286									// merge patch.
5287									"values"?: [...string]
5288								}]
5289
5290								// matchLabels is a map of {key,value} pairs. A single {key,value}
5291								// in the matchLabels
5292								// map is equivalent to an element of matchExpressions, whose key
5293								// field is "key", the
5294								// operator is "In", and the values array contains only "value".
5295								// The requirements are ANDed.
5296								"matchLabels"?: {
5297									[string]: string
5298								}
5299							}
5300						}
5301
5302						// Roles is the list of namespaced role names for the user.
5303						"roles"?: [...string]
5304
5305						// Subjects is the list of subject names like users, user groups,
5306						// and service accounts.
5307						"subjects"?: [...{
5308							// APIGroup holds the API group of the referenced subject.
5309							// Defaults to "" for ServiceAccount subjects.
5310							// Defaults to "rbac.authorization.k8s.io" for User and Group
5311							// subjects.
5312							"apiGroup"?: string
5313
5314							// Kind of object being referenced. Values defined by this API
5315							// group are "User", "Group", and "ServiceAccount".
5316							// If the Authorizer does not recognized the kind value, the
5317							// Authorizer should report an error.
5318							"kind"!: string
5319
5320							// Name of the object being referenced.
5321							"name"!: string
5322
5323							// Namespace of the referenced object. If the object kind is
5324							// non-namespace, such as "User" or "Group", and this value is
5325							// not empty
5326							// the Authorizer should report an error.
5327							"namespace"?: string
5328						}]
5329					}]
5330
5331					// Any allows specifying resources which will be ORed
5332					"any"?: [...{
5333						// ClusterRoles is the list of cluster-wide role names for the
5334						// user.
5335						"clusterRoles"?: [...string]
5336
5337						// ResourceDescription contains information about the resource
5338						// being created or modified.
5339						"resources"?: matchN(0, [null | bool | number | string | [...] | {
5340							"name"!:  _
5341							"names"!: _
5342						}]) & {
5343							// Annotations is a map of annotations (key-value pairs of type
5344							// string). Annotation keys
5345							// and values support the wildcard characters "*" (matches zero or
5346							// many characters) and
5347							// "?" (matches at least one character).
5348							"annotations"?: [string]: string
5349
5350							// Kinds is a list of resource kinds.
5351							"kinds"?: [...string]
5352
5353							// Name is the name of the resource. The name supports wildcard
5354							// characters
5355							// "*" (matches zero or many characters) and "?" (at least one
5356							// character).
5357							// NOTE: "Name" is being deprecated in favor of "Names".
5358							"name"?: string
5359
5360							// Names are the names of the resources. Each name supports
5361							// wildcard characters
5362							// "*" (matches zero or many characters) and "?" (at least one
5363							// character).
5364							"names"?: [...string]
5365
5366							// NamespaceSelector is a label selector for the resource
5367							// namespace. Label keys and values
5368							// in `matchLabels` support the wildcard characters `*` (matches
5369							// zero or many characters)
5370							// and `?` (matches one character).Wildcards allows writing label
5371							// selectors like
5372							// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
5373							// any key and value but
5374							// does not match an empty label set.
5375							"namespaceSelector"?: {
5376								// matchExpressions is a list of label selector requirements. The
5377								// requirements are ANDed.
5378								"matchExpressions"?: [...{
5379									// key is the label key that the selector applies to.
5380									"key"!: string
5381
5382									// operator represents a key's relationship to a set of values.
5383									// Valid operators are In, NotIn, Exists and DoesNotExist.
5384									"operator"!: string
5385
5386									// values is an array of string values. If the operator is In or
5387									// NotIn,
5388									// the values array must be non-empty. If the operator is Exists
5389									// or DoesNotExist,
5390									// the values array must be empty. This array is replaced during a
5391									// strategic
5392									// merge patch.
5393									"values"?: [...string]
5394								}]
5395
5396								// matchLabels is a map of {key,value} pairs. A single {key,value}
5397								// in the matchLabels
5398								// map is equivalent to an element of matchExpressions, whose key
5399								// field is "key", the
5400								// operator is "In", and the values array contains only "value".
5401								// The requirements are ANDed.
5402								"matchLabels"?: {
5403									[string]: string
5404								}
5405							}
5406
5407							// Namespaces is a list of namespaces names. Each name supports
5408							// wildcard characters
5409							// "*" (matches zero or many characters) and "?" (at least one
5410							// character).
5411							"namespaces"?: [...string]
5412
5413							// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
5414							// "DELETE"], which are used to match a specific action.
5415							"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
5416
5417							// Selector is a label selector. Label keys and values in
5418							// `matchLabels` support the wildcard
5419							// characters `*` (matches zero or many characters) and `?`
5420							// (matches one character).
5421							// Wildcards allows writing label selectors like
5422							// ["storage.k8s.io/*": "*"]. Note that
5423							// using ["*" : "*"] matches any key and value but does not match
5424							// an empty label set.
5425							"selector"?: {
5426								// matchExpressions is a list of label selector requirements. The
5427								// requirements are ANDed.
5428								"matchExpressions"?: [...{
5429									// key is the label key that the selector applies to.
5430									"key"!: string
5431
5432									// operator represents a key's relationship to a set of values.
5433									// Valid operators are In, NotIn, Exists and DoesNotExist.
5434									"operator"!: string
5435
5436									// values is an array of string values. If the operator is In or
5437									// NotIn,
5438									// the values array must be non-empty. If the operator is Exists
5439									// or DoesNotExist,
5440									// the values array must be empty. This array is replaced during a
5441									// strategic
5442									// merge patch.
5443									"values"?: [...string]
5444								}]
5445
5446								// matchLabels is a map of {key,value} pairs. A single {key,value}
5447								// in the matchLabels
5448								// map is equivalent to an element of matchExpressions, whose key
5449								// field is "key", the
5450								// operator is "In", and the values array contains only "value".
5451								// The requirements are ANDed.
5452								"matchLabels"?: {
5453									[string]: string
5454								}
5455							}
5456						}
5457
5458						// Roles is the list of namespaced role names for the user.
5459						"roles"?: [...string]
5460
5461						// Subjects is the list of subject names like users, user groups,
5462						// and service accounts.
5463						"subjects"?: [...{
5464							// APIGroup holds the API group of the referenced subject.
5465							// Defaults to "" for ServiceAccount subjects.
5466							// Defaults to "rbac.authorization.k8s.io" for User and Group
5467							// subjects.
5468							"apiGroup"?: string
5469
5470							// Kind of object being referenced. Values defined by this API
5471							// group are "User", "Group", and "ServiceAccount".
5472							// If the Authorizer does not recognized the kind value, the
5473							// Authorizer should report an error.
5474							"kind"!: string
5475
5476							// Name of the object being referenced.
5477							"name"!: string
5478
5479							// Namespace of the referenced object. If the object kind is
5480							// non-namespace, such as "User" or "Group", and this value is
5481							// not empty
5482							// the Authorizer should report an error.
5483							"namespace"?: string
5484						}]
5485					}]
5486
5487					// ClusterRoles is the list of cluster-wide role names for the
5488					// user.
5489					"clusterRoles"?: [...string]
5490
5491					// ResourceDescription contains information about the resource
5492					// being created or modified.
5493					// Requires at least one tag to be specified when under
5494					// MatchResources.
5495					// Specifying ResourceDescription directly under match is being
5496					// deprecated.
5497					// Please specify under "any" or "all" instead.
5498					"resources"?: matchN(0, [null | bool | number | string | [...] | {
5499						"name"!:  _
5500						"names"!: _
5501					}]) & {
5502						// Annotations is a map of annotations (key-value pairs of type
5503						// string). Annotation keys
5504						// and values support the wildcard characters "*" (matches zero or
5505						// many characters) and
5506						// "?" (matches at least one character).
5507						"annotations"?: [string]: string
5508
5509						// Kinds is a list of resource kinds.
5510						"kinds"?: [...string]
5511
5512						// Name is the name of the resource. The name supports wildcard
5513						// characters
5514						// "*" (matches zero or many characters) and "?" (at least one
5515						// character).
5516						// NOTE: "Name" is being deprecated in favor of "Names".
5517						"name"?: string
5518
5519						// Names are the names of the resources. Each name supports
5520						// wildcard characters
5521						// "*" (matches zero or many characters) and "?" (at least one
5522						// character).
5523						"names"?: [...string]
5524
5525						// NamespaceSelector is a label selector for the resource
5526						// namespace. Label keys and values
5527						// in `matchLabels` support the wildcard characters `*` (matches
5528						// zero or many characters)
5529						// and `?` (matches one character).Wildcards allows writing label
5530						// selectors like
5531						// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
5532						// any key and value but
5533						// does not match an empty label set.
5534						"namespaceSelector"?: {
5535							// matchExpressions is a list of label selector requirements. The
5536							// requirements are ANDed.
5537							"matchExpressions"?: [...{
5538								// key is the label key that the selector applies to.
5539								"key"!: string
5540
5541								// operator represents a key's relationship to a set of values.
5542								// Valid operators are In, NotIn, Exists and DoesNotExist.
5543								"operator"!: string
5544
5545								// values is an array of string values. If the operator is In or
5546								// NotIn,
5547								// the values array must be non-empty. If the operator is Exists
5548								// or DoesNotExist,
5549								// the values array must be empty. This array is replaced during a
5550								// strategic
5551								// merge patch.
5552								"values"?: [...string]
5553							}]
5554
5555							// matchLabels is a map of {key,value} pairs. A single {key,value}
5556							// in the matchLabels
5557							// map is equivalent to an element of matchExpressions, whose key
5558							// field is "key", the
5559							// operator is "In", and the values array contains only "value".
5560							// The requirements are ANDed.
5561							"matchLabels"?: {
5562								[string]: string
5563							}
5564						}
5565
5566						// Namespaces is a list of namespaces names. Each name supports
5567						// wildcard characters
5568						// "*" (matches zero or many characters) and "?" (at least one
5569						// character).
5570						"namespaces"?: [...string]
5571
5572						// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
5573						// "DELETE"], which are used to match a specific action.
5574						"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
5575
5576						// Selector is a label selector. Label keys and values in
5577						// `matchLabels` support the wildcard
5578						// characters `*` (matches zero or many characters) and `?`
5579						// (matches one character).
5580						// Wildcards allows writing label selectors like
5581						// ["storage.k8s.io/*": "*"]. Note that
5582						// using ["*" : "*"] matches any key and value but does not match
5583						// an empty label set.
5584						"selector"?: {
5585							// matchExpressions is a list of label selector requirements. The
5586							// requirements are ANDed.
5587							"matchExpressions"?: [...{
5588								// key is the label key that the selector applies to.
5589								"key"!: string
5590
5591								// operator represents a key's relationship to a set of values.
5592								// Valid operators are In, NotIn, Exists and DoesNotExist.
5593								"operator"!: string
5594
5595								// values is an array of string values. If the operator is In or
5596								// NotIn,
5597								// the values array must be non-empty. If the operator is Exists
5598								// or DoesNotExist,
5599								// the values array must be empty. This array is replaced during a
5600								// strategic
5601								// merge patch.
5602								"values"?: [...string]
5603							}]
5604
5605							// matchLabels is a map of {key,value} pairs. A single {key,value}
5606							// in the matchLabels
5607							// map is equivalent to an element of matchExpressions, whose key
5608							// field is "key", the
5609							// operator is "In", and the values array contains only "value".
5610							// The requirements are ANDed.
5611							"matchLabels"?: {
5612								[string]: string
5613							}
5614						}
5615					}
5616
5617					// Roles is the list of namespaced role names for the user.
5618					"roles"?: [...string]
5619
5620					// Subjects is the list of subject names like users, user groups,
5621					// and service accounts.
5622					"subjects"?: [...{
5623						// APIGroup holds the API group of the referenced subject.
5624						// Defaults to "" for ServiceAccount subjects.
5625						// Defaults to "rbac.authorization.k8s.io" for User and Group
5626						// subjects.
5627						"apiGroup"?: string
5628
5629						// Kind of object being referenced. Values defined by this API
5630						// group are "User", "Group", and "ServiceAccount".
5631						// If the Authorizer does not recognized the kind value, the
5632						// Authorizer should report an error.
5633						"kind"!: string
5634
5635						// Name of the object being referenced.
5636						"name"!: string
5637
5638						// Namespace of the referenced object. If the object kind is
5639						// non-namespace, such as "User" or "Group", and this value is
5640						// not empty
5641						// the Authorizer should report an error.
5642						"namespace"?: string
5643					}]
5644				}
5645
5646				// Mutation is used to modify matching resources.
5647				"mutate"?: {
5648					// ForEach applies mutation rules to a list of sub-elements by
5649					// creating a context for each entry in the list and looping over
5650					// it to apply the specified logic.
5651					"foreach"?: [...{
5652						// Context defines variables and data sources that can be used
5653						// during rule execution.
5654						"context"?: [...matchN(1, [{
5655							"configMap"!: _
5656						}, {
5657							"apiCall"!: _
5658						}, {
5659							"imageRegistry"!: _
5660						}, {
5661							"variable"!: _
5662						}, {
5663							"globalReference"!: _
5664						}]) & {
5665							// APICall is an HTTP request to the Kubernetes API server, or
5666							// other JSON web service.
5667							// The data returned is stored in the context with the name for
5668							// the context entry.
5669							"apiCall"?: {
5670								// The data object specifies the POST data sent to the server.
5671								// Only applicable when the method field is set to POST.
5672								"data"?: [...{
5673									// Key is a unique identifier for the data value
5674									"key"!: string
5675
5676									// Value is the data value
5677									"value"!: null | bool | number | string | [...] | {
5678										...
5679									}
5680								}]
5681
5682								// Default is an optional arbitrary JSON object that the context
5683								// value is set to, if the apiCall returns error.
5684								"default"?: null | bool | number | string | [...] | {
5685									...
5686								}
5687
5688								// JMESPath is an optional JSON Match Expression that can be used
5689								// to
5690								// transform the JSON response returned from the server. For
5691								// example
5692								// a JMESPath of "items | length(@)" applied to the API server
5693								// response
5694								// for the URLPath "/apis/apps/v1/deployments" will return the
5695								// total count
5696								// of deployments across all namespaces.
5697								"jmesPath"?: string
5698
5699								// Method is the HTTP request type (GET or POST). Defaults to GET.
5700								"method"?: "GET" | "POST"
5701
5702								// Service is an API call to a JSON web service.
5703								// This is used for non-Kubernetes API server calls.
5704								// It's mutually exclusive with the URLPath field.
5705								"service"?: {
5706									// CABundle is a PEM encoded CA bundle which will be used to
5707									// validate
5708									// the server certificate.
5709									"caBundle"?: string
5710
5711									// Headers is a list of optional HTTP headers to be included in
5712									// the request.
5713									"headers"?: [...{
5714										// Key is the header key
5715										"key"!: string
5716
5717										// Value is the header value
5718										"value"!: string
5719									}]
5720
5721									// URL is the JSON web service URL. A typical form is
5722									// `https://{service}.{namespace}:{port}/{path}`.
5723									"url"!: string
5724								}
5725
5726								// URLPath is the URL path to be used in the HTTP GET or POST
5727								// request to the
5728								// Kubernetes API server (e.g. "/api/v1/namespaces" or
5729								// "/apis/apps/v1/deployments").
5730								// The format required is the same format used by the `kubectl get
5731								// --raw` command.
5732								// See
5733								// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
5734								// for details.
5735								// It's mutually exclusive with the Service field.
5736								"urlPath"?: string
5737							}
5738
5739							// ConfigMap is the ConfigMap reference.
5740							"configMap"?: {
5741								// Name is the ConfigMap name.
5742								"name"!: string
5743
5744								// Namespace is the ConfigMap namespace.
5745								"namespace"?: string
5746							}
5747
5748							// GlobalContextEntryReference is a reference to a cached global
5749							// context entry.
5750							"globalReference"?: {
5751								// JMESPath is an optional JSON Match Expression that can be used
5752								// to
5753								// transform the JSON response returned from the server. For
5754								// example
5755								// a JMESPath of "items | length(@)" applied to the API server
5756								// response
5757								// for the URLPath "/apis/apps/v1/deployments" will return the
5758								// total count
5759								// of deployments across all namespaces.
5760								"jmesPath"?: string
5761
5762								// Name of the global context entry
5763								"name"!: string
5764							}
5765
5766							// ImageRegistry defines requests to an OCI/Docker V2 registry to
5767							// fetch image
5768							// details.
5769							"imageRegistry"?: {
5770								// ImageRegistryCredentials provides credentials that will be used
5771								// for authentication with registry
5772								"imageRegistryCredentials"?: {
5773									// AllowInsecureRegistry allows insecure access to a registry.
5774									"allowInsecureRegistry"?: bool
5775
5776									// Providers specifies a list of OCI Registry names, whose
5777									// authentication providers are provided.
5778									// It can be of one of these values:
5779									// default,google,azure,amazon,github.
5780									"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
5781
5782									// Secrets specifies a list of secrets that are provided for
5783									// credentials.
5784									// Secrets must live in the Kyverno namespace.
5785									"secrets"?: [...string]
5786								}
5787
5788								// JMESPath is an optional JSON Match Expression that can be used
5789								// to
5790								// transform the ImageData struct returned as a result of
5791								// processing
5792								// the image reference.
5793								"jmesPath"?: string
5794
5795								// Reference is image reference to a container image in the
5796								// registry.
5797								// Example: ghcr.io/kyverno/kyverno:latest
5798								"reference"!: string
5799							}
5800
5801							// Name is the variable name.
5802							"name"!: string
5803
5804							// Variable defines an arbitrary JMESPath context variable that
5805							// can be defined inline.
5806							"variable"?: {
5807								// Default is an optional arbitrary JSON object that the variable
5808								// may take if the JMESPath
5809								// expression evaluates to nil
5810								"default"?: null | bool | number | string | [...] | {
5811									...
5812								}
5813
5814								// JMESPath is an optional JMESPath Expression that can be used to
5815								// transform the variable.
5816								"jmesPath"?: string
5817
5818								// Value is any arbitrary JSON object representable in YAML or
5819								// JSON form.
5820								"value"?: null | bool | number | string | [...] | {
5821									...
5822								}
5823							}
5824						}]
5825
5826						// Foreach declares a nested foreach iterator
5827						"foreach"?: null | bool | number | string | [...] | {
5828							...
5829						}
5830
5831						// List specifies a JMESPath expression that results in one or
5832						// more elements
5833						// to which the validation logic is applied.
5834						"list"?: string
5835
5836						// Order defines the iteration order on the list.
5837						// Can be Ascending to iterate from first to last element or
5838						// Descending to iterate in from last to first element.
5839						"order"?: "Ascending" | "Descending"
5840
5841						// PatchStrategicMerge is a strategic merge patch used to modify
5842						// resources.
5843						// See
5844						// https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
5845						// and
5846						// https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
5847						"patchStrategicMerge"?: null | bool | number | string | [...] | {
5848							...
5849						}
5850
5851						// PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
5852						// used to modify resources.
5853						// See https://tools.ietf.org/html/rfc6902 and
5854						// https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
5855						"patchesJson6902"?: string
5856
5857						// AnyAllConditions are used to determine if a policy rule should
5858						// be applied by evaluating a
5859						// set of conditions. The declaration can contain nested `any` or
5860						// `all` statements.
5861						// See: https://kyverno.io/docs/writing-policies/preconditions/
5862						"preconditions"?: {
5863							// AllConditions enable variable-based conditional rule execution.
5864							// This is useful for
5865							// finer control of when an rule is applied. A condition can
5866							// reference object data
5867							// using JMESPath notation.
5868							// Here, all of the conditions need to pass
5869							"all"?: [...{
5870								// Key is the context entry (using JMESPath) for conditional rule
5871								// evaluation.
5872								"key"?: null | bool | number | string | [...] | {
5873									...
5874								}
5875
5876								// Message is an optional display message
5877								"message"?: string
5878
5879								// Operator is the conditional operation to perform. Valid
5880								// operators are:
5881								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
5882								// GreaterThanOrEquals,
5883								// GreaterThan, LessThanOrEquals, LessThan,
5884								// DurationGreaterThanOrEquals, DurationGreaterThan,
5885								// DurationLessThanOrEquals, DurationLessThan
5886								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
5887
5888								// Value is the conditional value, or set of values. The values
5889								// can be fixed set
5890								// or can be variables declared using JMESPath.
5891								"value"?: null | bool | number | string | [...] | {
5892									...
5893								}
5894							}]
5895
5896							// AnyConditions enable variable-based conditional rule execution.
5897							// This is useful for
5898							// finer control of when an rule is applied. A condition can
5899							// reference object data
5900							// using JMESPath notation.
5901							// Here, at least one of the conditions need to pass
5902							"any"?: [...{
5903								// Key is the context entry (using JMESPath) for conditional rule
5904								// evaluation.
5905								"key"?: null | bool | number | string | [...] | {
5906									...
5907								}
5908
5909								// Message is an optional display message
5910								"message"?: string
5911
5912								// Operator is the conditional operation to perform. Valid
5913								// operators are:
5914								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
5915								// GreaterThanOrEquals,
5916								// GreaterThan, LessThanOrEquals, LessThan,
5917								// DurationGreaterThanOrEquals, DurationGreaterThan,
5918								// DurationLessThanOrEquals, DurationLessThan
5919								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
5920
5921								// Value is the conditional value, or set of values. The values
5922								// can be fixed set
5923								// or can be variables declared using JMESPath.
5924								"value"?: null | bool | number | string | [...] | {
5925									...
5926								}
5927							}]
5928							...
5929						}
5930					}]
5931
5932					// MutateExistingOnPolicyUpdate controls if the mutateExisting
5933					// rule will be applied on policy events.
5934					"mutateExistingOnPolicyUpdate"?: bool
5935
5936					// PatchStrategicMerge is a strategic merge patch used to modify
5937					// resources.
5938					// See
5939					// https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
5940					// and
5941					// https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
5942					"patchStrategicMerge"?: null | bool | number | string | [...] | {
5943						...
5944					}
5945
5946					// PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
5947					// used to modify resources.
5948					// See https://tools.ietf.org/html/rfc6902 and
5949					// https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
5950					"patchesJson6902"?: string
5951
5952					// Targets defines the target resources to be mutated.
5953					"targets"?: [...{
5954						// APIVersion specifies resource apiVersion.
5955						"apiVersion"?: string
5956
5957						// Context defines variables and data sources that can be used
5958						// during rule execution.
5959						"context"?: [...matchN(1, [{
5960							"configMap"!: _
5961						}, {
5962							"apiCall"!: _
5963						}, {
5964							"imageRegistry"!: _
5965						}, {
5966							"variable"!: _
5967						}, {
5968							"globalReference"!: _
5969						}]) & {
5970							// APICall is an HTTP request to the Kubernetes API server, or
5971							// other JSON web service.
5972							// The data returned is stored in the context with the name for
5973							// the context entry.
5974							"apiCall"?: {
5975								// The data object specifies the POST data sent to the server.
5976								// Only applicable when the method field is set to POST.
5977								"data"?: [...{
5978									// Key is a unique identifier for the data value
5979									"key"!: string
5980
5981									// Value is the data value
5982									"value"!: null | bool | number | string | [...] | {
5983										...
5984									}
5985								}]
5986
5987								// Default is an optional arbitrary JSON object that the context
5988								// value is set to, if the apiCall returns error.
5989								"default"?: null | bool | number | string | [...] | {
5990									...
5991								}
5992
5993								// JMESPath is an optional JSON Match Expression that can be used
5994								// to
5995								// transform the JSON response returned from the server. For
5996								// example
5997								// a JMESPath of "items | length(@)" applied to the API server
5998								// response
5999								// for the URLPath "/apis/apps/v1/deployments" will return the
6000								// total count
6001								// of deployments across all namespaces.
6002								"jmesPath"?: string
6003
6004								// Method is the HTTP request type (GET or POST). Defaults to GET.
6005								"method"?: "GET" | "POST"
6006
6007								// Service is an API call to a JSON web service.
6008								// This is used for non-Kubernetes API server calls.
6009								// It's mutually exclusive with the URLPath field.
6010								"service"?: {
6011									// CABundle is a PEM encoded CA bundle which will be used to
6012									// validate
6013									// the server certificate.
6014									"caBundle"?: string
6015
6016									// Headers is a list of optional HTTP headers to be included in
6017									// the request.
6018									"headers"?: [...{
6019										// Key is the header key
6020										"key"!: string
6021
6022										// Value is the header value
6023										"value"!: string
6024									}]
6025
6026									// URL is the JSON web service URL. A typical form is
6027									// `https://{service}.{namespace}:{port}/{path}`.
6028									"url"!: string
6029								}
6030
6031								// URLPath is the URL path to be used in the HTTP GET or POST
6032								// request to the
6033								// Kubernetes API server (e.g. "/api/v1/namespaces" or
6034								// "/apis/apps/v1/deployments").
6035								// The format required is the same format used by the `kubectl get
6036								// --raw` command.
6037								// See
6038								// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
6039								// for details.
6040								// It's mutually exclusive with the Service field.
6041								"urlPath"?: string
6042							}
6043
6044							// ConfigMap is the ConfigMap reference.
6045							"configMap"?: {
6046								// Name is the ConfigMap name.
6047								"name"!: string
6048
6049								// Namespace is the ConfigMap namespace.
6050								"namespace"?: string
6051							}
6052
6053							// GlobalContextEntryReference is a reference to a cached global
6054							// context entry.
6055							"globalReference"?: {
6056								// JMESPath is an optional JSON Match Expression that can be used
6057								// to
6058								// transform the JSON response returned from the server. For
6059								// example
6060								// a JMESPath of "items | length(@)" applied to the API server
6061								// response
6062								// for the URLPath "/apis/apps/v1/deployments" will return the
6063								// total count
6064								// of deployments across all namespaces.
6065								"jmesPath"?: string
6066
6067								// Name of the global context entry
6068								"name"!: string
6069							}
6070
6071							// ImageRegistry defines requests to an OCI/Docker V2 registry to
6072							// fetch image
6073							// details.
6074							"imageRegistry"?: {
6075								// ImageRegistryCredentials provides credentials that will be used
6076								// for authentication with registry
6077								"imageRegistryCredentials"?: {
6078									// AllowInsecureRegistry allows insecure access to a registry.
6079									"allowInsecureRegistry"?: bool
6080
6081									// Providers specifies a list of OCI Registry names, whose
6082									// authentication providers are provided.
6083									// It can be of one of these values:
6084									// default,google,azure,amazon,github.
6085									"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
6086
6087									// Secrets specifies a list of secrets that are provided for
6088									// credentials.
6089									// Secrets must live in the Kyverno namespace.
6090									"secrets"?: [...string]
6091								}
6092
6093								// JMESPath is an optional JSON Match Expression that can be used
6094								// to
6095								// transform the ImageData struct returned as a result of
6096								// processing
6097								// the image reference.
6098								"jmesPath"?: string
6099
6100								// Reference is image reference to a container image in the
6101								// registry.
6102								// Example: ghcr.io/kyverno/kyverno:latest
6103								"reference"!: string
6104							}
6105
6106							// Name is the variable name.
6107							"name"!: string
6108
6109							// Variable defines an arbitrary JMESPath context variable that
6110							// can be defined inline.
6111							"variable"?: {
6112								// Default is an optional arbitrary JSON object that the variable
6113								// may take if the JMESPath
6114								// expression evaluates to nil
6115								"default"?: null | bool | number | string | [...] | {
6116									...
6117								}
6118
6119								// JMESPath is an optional JMESPath Expression that can be used to
6120								// transform the variable.
6121								"jmesPath"?: string
6122
6123								// Value is any arbitrary JSON object representable in YAML or
6124								// JSON form.
6125								"value"?: null | bool | number | string | [...] | {
6126									...
6127								}
6128							}
6129						}]
6130
6131						// Kind specifies resource kind.
6132						"kind"?: string
6133
6134						// Name specifies the resource name.
6135						"name"?: string
6136
6137						// Namespace specifies resource namespace.
6138						"namespace"?: string
6139
6140						// Preconditions are used to determine if a policy rule should be
6141						// applied by evaluating a
6142						// set of conditions. The declaration can contain nested `any` or
6143						// `all` statements. A direct list
6144						// of conditions (without `any` or `all` statements is supported
6145						// for backwards compatibility but
6146						// will be deprecated in the next major release.
6147						// See: https://kyverno.io/docs/writing-policies/preconditions/
6148						"preconditions"?: null | bool | number | string | [...] | {
6149							...
6150						}
6151
6152						// Selector allows you to select target resources with their
6153						// labels.
6154						"selector"?: {
6155							// matchExpressions is a list of label selector requirements. The
6156							// requirements are ANDed.
6157							"matchExpressions"?: [...{
6158								// key is the label key that the selector applies to.
6159								"key"!: string
6160
6161								// operator represents a key's relationship to a set of values.
6162								// Valid operators are In, NotIn, Exists and DoesNotExist.
6163								"operator"!: string
6164
6165								// values is an array of string values. If the operator is In or
6166								// NotIn,
6167								// the values array must be non-empty. If the operator is Exists
6168								// or DoesNotExist,
6169								// the values array must be empty. This array is replaced during a
6170								// strategic
6171								// merge patch.
6172								"values"?: [...string]
6173							}]
6174
6175							// matchLabels is a map of {key,value} pairs. A single {key,value}
6176							// in the matchLabels
6177							// map is equivalent to an element of matchExpressions, whose key
6178							// field is "key", the
6179							// operator is "In", and the values array contains only "value".
6180							// The requirements are ANDed.
6181							"matchLabels"?: {
6182								[string]: string
6183							}
6184						}
6185
6186						// UID specifies the resource uid.
6187						"uid"?: string
6188					}]
6189				}
6190
6191				// Name is a label to identify the rule, It must be unique within
6192				// the policy.
6193				"name"!: strings.MaxRunes(
6194						63)
6195
6196				// Preconditions are used to determine if a policy rule should be
6197				// applied by evaluating a
6198				// set of conditions. The declaration can contain nested `any` or
6199				// `all` statements. A direct list
6200				// of conditions (without `any` or `all` statements is supported
6201				// for backwards compatibility but
6202				// will be deprecated in the next major release.
6203				// See: https://kyverno.io/docs/writing-policies/preconditions/
6204				"preconditions"?: null | bool | number | string | [...] | {
6205					...
6206				}
6207
6208				// ReportProperties are the additional properties from the rule
6209				// that will be added to the policy report result
6210				"reportProperties"?: {
6211					[string]: string
6212				}
6213
6214				// SkipBackgroundRequests bypasses admission requests that are
6215				// sent by the background controller.
6216				// The default value is set to "true", it must be set to "false"
6217				// to apply
6218				// generate and mutateExisting rules to those requests.
6219				"skipBackgroundRequests"?: bool
6220
6221				// Validation is used to validate matching resources.
6222				"validate"?: {
6223					// AllowExistingViolations allows prexisting violating resources
6224					// to continue violating a policy.
6225					"allowExistingViolations"?: bool
6226
6227					// AnyPattern specifies list of validation patterns. At least one
6228					// of the patterns
6229					// must be satisfied for the validation rule to succeed.
6230					"anyPattern"?: null | bool | number | string | [...] | {
6231						...
6232					}
6233
6234					// Assert defines a kyverno-json assertion tree.
6235					"assert"?: {
6236						...
6237					}
6238
6239					// CEL allows validation checks using the Common Expression
6240					// Language
6241					// (https://kubernetes.io/docs/reference/using-api/cel/).
6242					"cel"?: {
6243						// AuditAnnotations contains CEL expressions which are used to
6244						// produce audit annotations for the audit event of the API
6245						// request.
6246						"auditAnnotations"?: [...{
6247							// key specifies the audit annotation key. The audit annotation
6248							// keys of
6249							// a ValidatingAdmissionPolicy must be unique. The key must be a
6250							// qualified
6251							// name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in
6252							// length.
6253							//
6254							// The key is combined with the resource name of the
6255							// ValidatingAdmissionPolicy to construct an audit annotation key:
6256							// "{ValidatingAdmissionPolicy name}/{key}".
6257							//
6258							// If an admission webhook uses the same resource name as this
6259							// ValidatingAdmissionPolicy
6260							// and the same audit annotation key, the annotation key will be
6261							// identical.
6262							// In this case, the first annotation written with the key will be
6263							// included
6264							// in the audit event and all subsequent annotations with the same
6265							// key
6266							// will be discarded.
6267							//
6268							// Required.
6269							"key"!: string
6270
6271							// valueExpression represents the expression which is evaluated by
6272							// CEL to
6273							// produce an audit annotation value. The expression must evaluate
6274							// to either
6275							// a string or null value. If the expression evaluates to a
6276							// string, the
6277							// audit annotation is included with the string value. If the
6278							// expression
6279							// evaluates to null or empty string the audit annotation will be
6280							// omitted.
6281							// The valueExpression may be no longer than 5kb in length.
6282							// If the result of the valueExpression is more than 10kb in
6283							// length, it
6284							// will be truncated to 10kb.
6285							//
6286							// If multiple ValidatingAdmissionPolicyBinding resources match an
6287							// API request, then the valueExpression will be evaluated for
6288							// each binding. All unique values produced by the
6289							// valueExpressions
6290							// will be joined together in a comma-separated list.
6291							//
6292							// Required.
6293							"valueExpression"!: string
6294						}]
6295
6296						// Expressions is a list of CELExpression types.
6297						"expressions"?: [...{
6298							// Expression represents the expression which will be evaluated by
6299							// CEL.
6300							// ref: https://github.com/google/cel-spec
6301							// CEL expressions have access to the contents of the API
6302							// request/response, organized into CEL variables as well as some
6303							// other useful variables:
6304							//
6305							// - 'object' - The object from the incoming request. The value is
6306							// null for DELETE requests.
6307							// - 'oldObject' - The existing object. The value is null for
6308							// CREATE requests.
6309							// - 'request' - Attributes of the API
6310							// request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
6311							// - 'params' - Parameter resource referred to by the policy
6312							// binding being evaluated. Only populated if the policy has a
6313							// ParamKind.
6314							// - 'namespaceObject' - The namespace object that the incoming
6315							// object belongs to. The value is null for cluster-scoped
6316							// resources.
6317							// - 'variables' - Map of composited variables, from its name to
6318							// its lazily evaluated value.
6319							// For example, a variable named 'foo' can be accessed as
6320							// 'variables.foo'.
6321							// - 'authorizer' - A CEL Authorizer. May be used to perform
6322							// authorization checks for the principal (user or service
6323							// account) of the request.
6324							// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
6325							// - 'authorizer.requestResource' - A CEL ResourceCheck
6326							// constructed from the 'authorizer' and configured with the
6327							// request resource.
6328							//
6329							// The `apiVersion`, `kind`, `metadata.name` and
6330							// `metadata.generateName` are always accessible from the root of
6331							// the
6332							// object. No other metadata properties are accessible.
6333							//
6334							// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
6335							// are accessible.
6336							// Accessible property names are escaped according to the
6337							// following rules when accessed in the expression:
6338							// - '__' escapes to '__underscores__'
6339							// - '.' escapes to '__dot__'
6340							// - '-' escapes to '__dash__'
6341							// - '/' escapes to '__slash__'
6342							// - Property names that exactly match a CEL RESERVED keyword
6343							// escape to '__{keyword}__'. The keywords are:
6344							// "true", "false", "null", "in", "as", "break", "const",
6345							// "continue", "else", "for", "function", "if",
6346							// "import", "let", "loop", "package", "namespace", "return".
6347							// Examples:
6348							// - Expression accessing a property named "namespace":
6349							// {"Expression": "object.__namespace__ > 0"}
6350							// - Expression accessing a property named "x-prop":
6351							// {"Expression": "object.x__dash__prop > 0"}
6352							// - Expression accessing a property named "redact__d":
6353							// {"Expression": "object.redact__underscores__d > 0"}
6354							//
6355							// Equality on arrays with list type of 'set' or 'map' ignores
6356							// element order, i.e. [1, 2] == [2, 1].
6357							// Concatenation on arrays with x-kubernetes-list-type use the
6358							// semantics of the list type:
6359							// - 'set': `X + Y` performs a union where the array positions of
6360							// all elements in `X` are preserved and
6361							// non-intersecting elements in `Y` are appended, retaining their
6362							// partial order.
6363							// - 'map': `X + Y` performs a merge where the array positions of
6364							// all keys in `X` are preserved but the values
6365							// are overwritten by values in `Y` when the key sets of `X` and
6366							// `Y` intersect. Elements in `Y` with
6367							// non-intersecting keys are appended, retaining their partial
6368							// order.
6369							// Required.
6370							"expression"!: string
6371
6372							// Message represents the message displayed when validation fails.
6373							// The message is required if the Expression contains
6374							// line breaks. The message must not contain line breaks.
6375							// If unset, the message is "failed rule: {Rule}".
6376							// e.g. "must be a URL with the host matching spec.host"
6377							// If the Expression contains line breaks. Message is required.
6378							// The message must not contain line breaks.
6379							// If unset, the message is "failed Expression: {Expression}".
6380							"message"?: string
6381
6382							// messageExpression declares a CEL expression that evaluates to
6383							// the validation failure message that is returned when this rule
6384							// fails.
6385							// Since messageExpression is used as a failure message, it must
6386							// evaluate to a string.
6387							// If both message and messageExpression are present on a
6388							// validation, then messageExpression will be used if validation
6389							// fails.
6390							// If messageExpression results in a runtime error, the runtime
6391							// error is logged, and the validation failure message is
6392							// produced
6393							// as if the messageExpression field were unset. If
6394							// messageExpression evaluates to an empty string, a string with
6395							// only spaces, or a string
6396							// that contains line breaks, then the validation failure message
6397							// will also be produced as if the messageExpression field were
6398							// unset, and
6399							// the fact that messageExpression produced an empty string/string
6400							// with only spaces/string with line breaks will be logged.
6401							// messageExpression has access to all the same variables as the
6402							// `expression` except for 'authorizer' and
6403							// 'authorizer.requestResource'.
6404							// Example:
6405							// "object.x must be less than max ("+string(params.max)+")"
6406							"messageExpression"?: string
6407
6408							// Reason represents a machine-readable description of why this
6409							// validation failed.
6410							// If this is the first validation in the list to fail, this
6411							// reason, as well as the
6412							// corresponding HTTP response code, are used in the
6413							// HTTP response to the client.
6414							// The currently supported reasons are: "Unauthorized",
6415							// "Forbidden", "Invalid", "RequestEntityTooLarge".
6416							// If not set, StatusReasonInvalid is used in the response to the
6417							// client.
6418							"reason"?: string
6419						}]
6420
6421						// ParamKind is a tuple of Group Kind and Version.
6422						"paramKind"?: {
6423							// APIVersion is the API group version the resources belong to.
6424							// In format of "group/version".
6425							// Required.
6426							"apiVersion"?: string
6427
6428							// Kind is the API kind the resources belong to.
6429							// Required.
6430							"kind"?: string
6431						}
6432
6433						// ParamRef references a parameter resource.
6434						"paramRef"?: {
6435							// name is the name of the resource being referenced.
6436							//
6437							// One of `name` or `selector` must be set, but `name` and
6438							// `selector` are
6439							// mutually exclusive properties. If one is set, the other must be
6440							// unset.
6441							//
6442							// A single parameter used for all admission requests can be
6443							// configured
6444							// by setting the `name` field, leaving `selector` blank, and
6445							// setting namespace
6446							// if `paramKind` is namespace-scoped.
6447							"name"?: string
6448
6449							// namespace is the namespace of the referenced resource. Allows
6450							// limiting
6451							// the search for params to a specific namespace. Applies to both
6452							// `name` and
6453							// `selector` fields.
6454							//
6455							// A per-namespace parameter may be used by specifying a
6456							// namespace-scoped
6457							// `paramKind` in the policy and leaving this field empty.
6458							//
6459							// - If `paramKind` is cluster-scoped, this field MUST be unset.
6460							// Setting this
6461							// field results in a configuration error.
6462							//
6463							// - If `paramKind` is namespace-scoped, the namespace of the
6464							// object being
6465							// evaluated for admission will be used when this field is left
6466							// unset. Take
6467							// care that if this is left empty the binding must not match any
6468							// cluster-scoped
6469							// resources, which will result in an error.
6470							"namespace"?: string
6471
6472							// `parameterNotFoundAction` controls the behavior of the binding
6473							// when the resource
6474							// exists, and name or selector is valid, but there are no
6475							// parameters
6476							// matched by the binding. If the value is set to `Allow`, then no
6477							// matched parameters will be treated as successful validation by
6478							// the binding.
6479							// If set to `Deny`, then no matched parameters will be subject to
6480							// the
6481							// `failurePolicy` of the policy.
6482							//
6483							// Allowed values are `Allow` or `Deny`
6484							//
6485							// Required
6486							"parameterNotFoundAction"?: string
6487
6488							// selector can be used to match multiple param objects based on
6489							// their labels.
6490							// Supply selector: {} to match all resources of the ParamKind.
6491							//
6492							// If multiple params are found, they are all evaluated with the
6493							// policy expressions
6494							// and the results are ANDed together.
6495							//
6496							// One of `name` or `selector` must be set, but `name` and
6497							// `selector` are
6498							// mutually exclusive properties. If one is set, the other must be
6499							// unset.
6500							"selector"?: {
6501								// matchExpressions is a list of label selector requirements. The
6502								// requirements are ANDed.
6503								"matchExpressions"?: [...{
6504									// key is the label key that the selector applies to.
6505									"key"!: string
6506
6507									// operator represents a key's relationship to a set of values.
6508									// Valid operators are In, NotIn, Exists and DoesNotExist.
6509									"operator"!: string
6510
6511									// values is an array of string values. If the operator is In or
6512									// NotIn,
6513									// the values array must be non-empty. If the operator is Exists
6514									// or DoesNotExist,
6515									// the values array must be empty. This array is replaced during a
6516									// strategic
6517									// merge patch.
6518									"values"?: [...string]
6519								}]
6520
6521								// matchLabels is a map of {key,value} pairs. A single {key,value}
6522								// in the matchLabels
6523								// map is equivalent to an element of matchExpressions, whose key
6524								// field is "key", the
6525								// operator is "In", and the values array contains only "value".
6526								// The requirements are ANDed.
6527								"matchLabels"?: {
6528									[string]: string
6529								}
6530							}
6531						}
6532
6533						// Variables contain definitions of variables that can be used in
6534						// composition of other expressions.
6535						// Each variable is defined as a named CEL expression.
6536						// The variables defined here will be available under `variables`
6537						// in other expressions of the policy.
6538						"variables"?: [...{
6539							// Expression is the expression that will be evaluated as the
6540							// value of the variable.
6541							// The CEL expression has access to the same identifiers as the
6542							// CEL expressions in Validation.
6543							"expression"!: string
6544
6545							// Name is the name of the variable. The name must be a valid CEL
6546							// identifier and unique among all variables.
6547							// The variable can be accessed in other expressions through
6548							// `variables`
6549							// For example, if name is "foo", the variable will be available
6550							// as `variables.foo`
6551							"name"!: string
6552						}]
6553					}
6554
6555					// Deny defines conditions used to pass or fail a validation rule.
6556					"deny"?: {
6557						// Multiple conditions can be declared under an `any` or `all`
6558						// statement. A direct list
6559						// of conditions (without `any` or `all` statements) is also
6560						// supported for backwards compatibility
6561						// but will be deprecated in the next major release.
6562						// See:
6563						// https://kyverno.io/docs/writing-policies/validate/#deny-rules
6564						"conditions"?: null | bool | number | string | [...] | {
6565							...
6566						}
6567					}
6568
6569					// FailureAction defines if a validation policy rule violation
6570					// should block
6571					// the admission review request (Enforce), or allow (Audit) the
6572					// admission review request
6573					// and report an error in a policy report. Optional.
6574					// Allowed values are Audit or Enforce.
6575					"failureAction"?: "Audit" | "Enforce"
6576
6577					// FailureActionOverrides is a Cluster Policy attribute that
6578					// specifies FailureAction
6579					// namespace-wise. It overrides FailureAction for the specified
6580					// namespaces.
6581					"failureActionOverrides"?: [...{
6582						// ValidationFailureAction defines the policy validation failure
6583						// action
6584						"action"?: "audit" | "enforce" | "Audit" | "Enforce"
6585
6586						// A label selector is a label query over a set of resources. The
6587						// result of matchLabels and
6588						// matchExpressions are ANDed. An empty label selector matches all
6589						// objects. A null
6590						// label selector matches no objects.
6591						"namespaceSelector"?: {
6592							// matchExpressions is a list of label selector requirements. The
6593							// requirements are ANDed.
6594							"matchExpressions"?: [...{
6595								// key is the label key that the selector applies to.
6596								"key"!: string
6597
6598								// operator represents a key's relationship to a set of values.
6599								// Valid operators are In, NotIn, Exists and DoesNotExist.
6600								"operator"!: string
6601
6602								// values is an array of string values. If the operator is In or
6603								// NotIn,
6604								// the values array must be non-empty. If the operator is Exists
6605								// or DoesNotExist,
6606								// the values array must be empty. This array is replaced during a
6607								// strategic
6608								// merge patch.
6609								"values"?: [...string]
6610							}]
6611
6612							// matchLabels is a map of {key,value} pairs. A single {key,value}
6613							// in the matchLabels
6614							// map is equivalent to an element of matchExpressions, whose key
6615							// field is "key", the
6616							// operator is "In", and the values array contains only "value".
6617							// The requirements are ANDed.
6618							"matchLabels"?: {
6619								[string]: string
6620							}
6621						}
6622						"namespaces"?: [...string]
6623					}]
6624
6625					// ForEach applies validate rules to a list of sub-elements by
6626					// creating a context for each entry in the list and looping over
6627					// it to apply the specified logic.
6628					"foreach"?: [...{
6629						// AnyPattern specifies list of validation patterns. At least one
6630						// of the patterns
6631						// must be satisfied for the validation rule to succeed.
6632						"anyPattern"?: null | bool | number | string | [...] | {
6633							...
6634						}
6635
6636						// Context defines variables and data sources that can be used
6637						// during rule execution.
6638						"context"?: [...matchN(1, [{
6639							"configMap"!: _
6640						}, {
6641							"apiCall"!: _
6642						}, {
6643							"imageRegistry"!: _
6644						}, {
6645							"variable"!: _
6646						}, {
6647							"globalReference"!: _
6648						}]) & {
6649							// APICall is an HTTP request to the Kubernetes API server, or
6650							// other JSON web service.
6651							// The data returned is stored in the context with the name for
6652							// the context entry.
6653							"apiCall"?: {
6654								// The data object specifies the POST data sent to the server.
6655								// Only applicable when the method field is set to POST.
6656								"data"?: [...{
6657									// Key is a unique identifier for the data value
6658									"key"!: string
6659
6660									// Value is the data value
6661									"value"!: null | bool | number | string | [...] | {
6662										...
6663									}
6664								}]
6665
6666								// Default is an optional arbitrary JSON object that the context
6667								// value is set to, if the apiCall returns error.
6668								"default"?: null | bool | number | string | [...] | {
6669									...
6670								}
6671
6672								// JMESPath is an optional JSON Match Expression that can be used
6673								// to
6674								// transform the JSON response returned from the server. For
6675								// example
6676								// a JMESPath of "items | length(@)" applied to the API server
6677								// response
6678								// for the URLPath "/apis/apps/v1/deployments" will return the
6679								// total count
6680								// of deployments across all namespaces.
6681								"jmesPath"?: string
6682
6683								// Method is the HTTP request type (GET or POST). Defaults to GET.
6684								"method"?: "GET" | "POST"
6685
6686								// Service is an API call to a JSON web service.
6687								// This is used for non-Kubernetes API server calls.
6688								// It's mutually exclusive with the URLPath field.
6689								"service"?: {
6690									// CABundle is a PEM encoded CA bundle which will be used to
6691									// validate
6692									// the server certificate.
6693									"caBundle"?: string
6694
6695									// Headers is a list of optional HTTP headers to be included in
6696									// the request.
6697									"headers"?: [...{
6698										// Key is the header key
6699										"key"!: string
6700
6701										// Value is the header value
6702										"value"!: string
6703									}]
6704
6705									// URL is the JSON web service URL. A typical form is
6706									// `https://{service}.{namespace}:{port}/{path}`.
6707									"url"!: string
6708								}
6709
6710								// URLPath is the URL path to be used in the HTTP GET or POST
6711								// request to the
6712								// Kubernetes API server (e.g. "/api/v1/namespaces" or
6713								// "/apis/apps/v1/deployments").
6714								// The format required is the same format used by the `kubectl get
6715								// --raw` command.
6716								// See
6717								// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
6718								// for details.
6719								// It's mutually exclusive with the Service field.
6720								"urlPath"?: string
6721							}
6722
6723							// ConfigMap is the ConfigMap reference.
6724							"configMap"?: {
6725								// Name is the ConfigMap name.
6726								"name"!: string
6727
6728								// Namespace is the ConfigMap namespace.
6729								"namespace"?: string
6730							}
6731
6732							// GlobalContextEntryReference is a reference to a cached global
6733							// context entry.
6734							"globalReference"?: {
6735								// JMESPath is an optional JSON Match Expression that can be used
6736								// to
6737								// transform the JSON response returned from the server. For
6738								// example
6739								// a JMESPath of "items | length(@)" applied to the API server
6740								// response
6741								// for the URLPath "/apis/apps/v1/deployments" will return the
6742								// total count
6743								// of deployments across all namespaces.
6744								"jmesPath"?: string
6745
6746								// Name of the global context entry
6747								"name"!: string
6748							}
6749
6750							// ImageRegistry defines requests to an OCI/Docker V2 registry to
6751							// fetch image
6752							// details.
6753							"imageRegistry"?: {
6754								// ImageRegistryCredentials provides credentials that will be used
6755								// for authentication with registry
6756								"imageRegistryCredentials"?: {
6757									// AllowInsecureRegistry allows insecure access to a registry.
6758									"allowInsecureRegistry"?: bool
6759
6760									// Providers specifies a list of OCI Registry names, whose
6761									// authentication providers are provided.
6762									// It can be of one of these values:
6763									// default,google,azure,amazon,github.
6764									"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
6765
6766									// Secrets specifies a list of secrets that are provided for
6767									// credentials.
6768									// Secrets must live in the Kyverno namespace.
6769									"secrets"?: [...string]
6770								}
6771
6772								// JMESPath is an optional JSON Match Expression that can be used
6773								// to
6774								// transform the ImageData struct returned as a result of
6775								// processing
6776								// the image reference.
6777								"jmesPath"?: string
6778
6779								// Reference is image reference to a container image in the
6780								// registry.
6781								// Example: ghcr.io/kyverno/kyverno:latest
6782								"reference"!: string
6783							}
6784
6785							// Name is the variable name.
6786							"name"!: string
6787
6788							// Variable defines an arbitrary JMESPath context variable that
6789							// can be defined inline.
6790							"variable"?: {
6791								// Default is an optional arbitrary JSON object that the variable
6792								// may take if the JMESPath
6793								// expression evaluates to nil
6794								"default"?: null | bool | number | string | [...] | {
6795									...
6796								}
6797
6798								// JMESPath is an optional JMESPath Expression that can be used to
6799								// transform the variable.
6800								"jmesPath"?: string
6801
6802								// Value is any arbitrary JSON object representable in YAML or
6803								// JSON form.
6804								"value"?: null | bool | number | string | [...] | {
6805									...
6806								}
6807							}
6808						}]
6809
6810						// Deny defines conditions used to pass or fail a validation rule.
6811						"deny"?: {
6812							// Multiple conditions can be declared under an `any` or `all`
6813							// statement. A direct list
6814							// of conditions (without `any` or `all` statements) is also
6815							// supported for backwards compatibility
6816							// but will be deprecated in the next major release.
6817							// See:
6818							// https://kyverno.io/docs/writing-policies/validate/#deny-rules
6819							"conditions"?: null | bool | number | string | [...] | {
6820								...
6821							}
6822						}
6823
6824						// ElementScope specifies whether to use the current list element
6825						// as the scope for validation. Defaults to "true" if not
6826						// specified.
6827						// When set to "false", "request.object" is used as the validation
6828						// scope within the foreach
6829						// block to allow referencing other elements in the subtree.
6830						"elementScope"?: bool
6831
6832						// Foreach declares a nested foreach iterator
6833						"foreach"?: null | bool | number | string | [...] | {
6834							...
6835						}
6836
6837						// List specifies a JMESPath expression that results in one or
6838						// more elements
6839						// to which the validation logic is applied.
6840						"list"?: string
6841
6842						// Pattern specifies an overlay-style pattern used to check
6843						// resources.
6844						"pattern"?: null | bool | number | string | [...] | {
6845							...
6846						}
6847
6848						// AnyAllConditions are used to determine if a policy rule should
6849						// be applied by evaluating a
6850						// set of conditions. The declaration can contain nested `any` or
6851						// `all` statements.
6852						// See: https://kyverno.io/docs/writing-policies/preconditions/
6853						"preconditions"?: {
6854							// AllConditions enable variable-based conditional rule execution.
6855							// This is useful for
6856							// finer control of when an rule is applied. A condition can
6857							// reference object data
6858							// using JMESPath notation.
6859							// Here, all of the conditions need to pass
6860							"all"?: [...{
6861								// Key is the context entry (using JMESPath) for conditional rule
6862								// evaluation.
6863								"key"?: null | bool | number | string | [...] | {
6864									...
6865								}
6866
6867								// Message is an optional display message
6868								"message"?: string
6869
6870								// Operator is the conditional operation to perform. Valid
6871								// operators are:
6872								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
6873								// GreaterThanOrEquals,
6874								// GreaterThan, LessThanOrEquals, LessThan,
6875								// DurationGreaterThanOrEquals, DurationGreaterThan,
6876								// DurationLessThanOrEquals, DurationLessThan
6877								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
6878
6879								// Value is the conditional value, or set of values. The values
6880								// can be fixed set
6881								// or can be variables declared using JMESPath.
6882								"value"?: null | bool | number | string | [...] | {
6883									...
6884								}
6885							}]
6886
6887							// AnyConditions enable variable-based conditional rule execution.
6888							// This is useful for
6889							// finer control of when an rule is applied. A condition can
6890							// reference object data
6891							// using JMESPath notation.
6892							// Here, at least one of the conditions need to pass
6893							"any"?: [...{
6894								// Key is the context entry (using JMESPath) for conditional rule
6895								// evaluation.
6896								"key"?: null | bool | number | string | [...] | {
6897									...
6898								}
6899
6900								// Message is an optional display message
6901								"message"?: string
6902
6903								// Operator is the conditional operation to perform. Valid
6904								// operators are:
6905								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
6906								// GreaterThanOrEquals,
6907								// GreaterThan, LessThanOrEquals, LessThan,
6908								// DurationGreaterThanOrEquals, DurationGreaterThan,
6909								// DurationLessThanOrEquals, DurationLessThan
6910								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
6911
6912								// Value is the conditional value, or set of values. The values
6913								// can be fixed set
6914								// or can be variables declared using JMESPath.
6915								"value"?: null | bool | number | string | [...] | {
6916									...
6917								}
6918							}]
6919							...
6920						}
6921					}]
6922
6923					// Manifest specifies conditions for manifest verification
6924					"manifests"?: {
6925						// AnnotationDomain is custom domain of annotation for message and
6926						// signature. Default is "cosign.sigstore.dev".
6927						"annotationDomain"?: string
6928
6929						// Attestors specified the required attestors (i.e. authorities)
6930						"attestors"?: [...{
6931							// Count specifies the required number of entries that must match.
6932							// If the count is null, all entries must match
6933							// (a logical AND). If the count is 1, at least one entry must
6934							// match (a logical OR). If the count contains a
6935							// value N, then N must be less than or equal to the size of
6936							// entries, and at least N entries must match.
6937							"count"?: int & >=1
6938
6939							// Entries contains the available attestors. An attestor can be a
6940							// static key,
6941							// attributes for keyless verification, or a nested attestor
6942							// declaration.
6943							"entries"?: [...{
6944								// Annotations are used for image verification.
6945								// Every specified key-value pair must exist and match in the
6946								// verified payload.
6947								// The payload may contain other key-value pairs.
6948								"annotations"?: [string]: string
6949
6950								// Attestor is a nested set of Attestor used to specify a more
6951								// complex set of match authorities.
6952								"attestor"?: null | bool | number | string | [...] | {
6953									...
6954								}
6955
6956								// Certificates specifies one or more certificates.
6957								"certificates"?: {
6958									// Cert is an optional PEM-encoded public certificate.
6959									"cert"?: string
6960
6961									// CertChain is an optional PEM encoded set of certificates used
6962									// to verify.
6963									"certChain"?: string
6964
6965									// CTLog (certificate timestamp log) provides a configuration for
6966									// validation of Signed Certificate
6967									// Timestamps (SCTs). If the value is unset, the default behavior
6968									// by Cosign is used.
6969									"ctlog"?: {
6970										// IgnoreSCT defines whether to use the Signed Certificate
6971										// Timestamp (SCT) log to check for a certificate
6972										// timestamp. Default is false. Set to true if this was opted out
6973										// during signing.
6974										"ignoreSCT"?: bool
6975
6976										// PubKey, if set, is used to validate SCTs against a custom
6977										// source.
6978										"pubkey"?: string
6979
6980										// TSACertChain, if set, is the PEM-encoded certificate chain file
6981										// for the RFC3161 timestamp authority. Must
6982										// contain the root CA certificate. Optionally may contain
6983										// intermediate CA certificates, and
6984										// may contain the leaf TSA certificate if not present in the
6985										// timestamurce.
6986										"tsaCertChain"?: string
6987									}
6988
6989									// Rekor provides configuration for the Rekor transparency log
6990									// service. If an empty object
6991									// is provided the public instance of Rekor
6992									// (https://rekor.sigstore.dev) is used.
6993									"rekor"?: {
6994										// IgnoreTlog skips transparency log verification.
6995										"ignoreTlog"?: bool
6996
6997										// RekorPubKey is an optional PEM-encoded public key to use for a
6998										// custom Rekor.
6999										// If set, this will be used to validate transparency log
7000										// signatures from a custom Rekor.
7001										"pubkey"?: string
7002
7003										// URL is the address of the transparency log. Defaults to the
7004										// public Rekor log instance https://rekor.sigstore.dev.
7005										"url"?: string
7006									}
7007								}
7008
7009								// Keyless is a set of attribute used to verify a Sigstore keyless
7010								// attestor.
7011								// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
7012								"keyless"?: {
7013									// AdditionalExtensions are certificate-extensions used for
7014									// keyless signing.
7015									"additionalExtensions"?: [string]: string
7016
7017									// CTLog (certificate timestamp log) provides a configuration for
7018									// validation of Signed Certificate
7019									// Timestamps (SCTs). If the value is unset, the default behavior
7020									// by Cosign is used.
7021									"ctlog"?: {
7022										// IgnoreSCT defines whether to use the Signed Certificate
7023										// Timestamp (SCT) log to check for a certificate
7024										// timestamp. Default is false. Set to true if this was opted out
7025										// during signing.
7026										"ignoreSCT"?: bool
7027
7028										// PubKey, if set, is used to validate SCTs against a custom
7029										// source.
7030										"pubkey"?: string
7031
7032										// TSACertChain, if set, is the PEM-encoded certificate chain file
7033										// for the RFC3161 timestamp authority. Must
7034										// contain the root CA certificate. Optionally may contain
7035										// intermediate CA certificates, and
7036										// may contain the leaf TSA certificate if not present in the
7037										// timestamurce.
7038										"tsaCertChain"?: string
7039									}
7040
7041									// Issuer is the certificate issuer used for keyless signing.
7042									"issuer"?: string
7043
7044									// IssuerRegExp is the regular expression to match certificate
7045									// issuer used for keyless signing.
7046									"issuerRegExp"?: string
7047
7048									// Rekor provides configuration for the Rekor transparency log
7049									// service. If an empty object
7050									// is provided the public instance of Rekor
7051									// (https://rekor.sigstore.dev) is used.
7052									"rekor"?: {
7053										// IgnoreTlog skips transparency log verification.
7054										"ignoreTlog"?: bool
7055
7056										// RekorPubKey is an optional PEM-encoded public key to use for a
7057										// custom Rekor.
7058										// If set, this will be used to validate transparency log
7059										// signatures from a custom Rekor.
7060										"pubkey"?: string
7061
7062										// URL is the address of the transparency log. Defaults to the
7063										// public Rekor log instance https://rekor.sigstore.dev.
7064										"url"?: string
7065									}
7066
7067									// Roots is an optional set of PEM encoded trusted root
7068									// certificates.
7069									// If not provided, the system roots are used.
7070									"roots"?: string
7071
7072									// Subject is the verified identity used for keyless signing, for
7073									// example the email address.
7074									"subject"?: string
7075
7076									// SubjectRegExp is the regular expression to match identity used
7077									// for keyless signing, for example the email address.
7078									"subjectRegExp"?: string
7079								}
7080
7081								// Keys specifies one or more public keys.
7082								"keys"?: {
7083									// CTLog (certificate timestamp log) provides a configuration for
7084									// validation of Signed Certificate
7085									// Timestamps (SCTs). If the value is unset, the default behavior
7086									// by Cosign is used.
7087									"ctlog"?: {
7088										// IgnoreSCT defines whether to use the Signed Certificate
7089										// Timestamp (SCT) log to check for a certificate
7090										// timestamp. Default is false. Set to true if this was opted out
7091										// during signing.
7092										"ignoreSCT"?: bool
7093
7094										// PubKey, if set, is used to validate SCTs against a custom
7095										// source.
7096										"pubkey"?: string
7097
7098										// TSACertChain, if set, is the PEM-encoded certificate chain file
7099										// for the RFC3161 timestamp authority. Must
7100										// contain the root CA certificate. Optionally may contain
7101										// intermediate CA certificates, and
7102										// may contain the leaf TSA certificate if not present in the
7103										// timestamurce.
7104										"tsaCertChain"?: string
7105									}
7106
7107									// KMS provides the URI to the public key stored in a Key
7108									// Management System. See:
7109									// https://github.com/sigstore/cosign/blob/main/KMS.md
7110									"kms"?: string
7111
7112									// Keys is a set of X.509 public keys used to verify image
7113									// signatures. The keys can be directly
7114									// specified or can be a variable reference to a key specified in
7115									// a ConfigMap (see
7116									// https://kyverno.io/docs/writing-policies/variables/), or
7117									// reference a standard Kubernetes Secret
7118									// elsewhere in the cluster by specifying it in the format
7119									// "k8s://<namespace>/<secret_name>".
7120									// The named Secret must specify a key `cosign.pub` containing the
7121									// public key used for
7122									// verification, (see
7123									// https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
7124									// When multiple keys are specified each key is processed as a
7125									// separate staticKey entry
7126									// (.attestors[*].entries.keys) within the set of attestors and
7127									// the count is applied across the keys.
7128									"publicKeys"?: string
7129
7130									// Rekor provides configuration for the Rekor transparency log
7131									// service. If an empty object
7132									// is provided the public instance of Rekor
7133									// (https://rekor.sigstore.dev) is used.
7134									"rekor"?: {
7135										// IgnoreTlog skips transparency log verification.
7136										"ignoreTlog"?: bool
7137
7138										// RekorPubKey is an optional PEM-encoded public key to use for a
7139										// custom Rekor.
7140										// If set, this will be used to validate transparency log
7141										// signatures from a custom Rekor.
7142										"pubkey"?: string
7143
7144										// URL is the address of the transparency log. Defaults to the
7145										// public Rekor log instance https://rekor.sigstore.dev.
7146										"url"?: string
7147									}
7148
7149									// Reference to a Secret resource that contains a public key
7150									"secret"?: {
7151										// Name of the secret. The provided secret must contain a key
7152										// named cosign.pub.
7153										"name"!: string
7154
7155										// Namespace name where the Secret exists.
7156										"namespace"!: string
7157									}
7158
7159									// Deprecated. Use attestor.signatureAlgorithm instead.
7160									"signatureAlgorithm"?: string
7161								}
7162
7163								// Repository is an optional alternate OCI repository to use for
7164								// signatures and attestations that match this rule.
7165								// If specified Repository will override other OCI image
7166								// repository locations for this Attestor.
7167								"repository"?: string
7168
7169								// Specify signature algorithm for public keys. Supported values
7170								// are sha224, sha256, sha384 and sha512.
7171								"signatureAlgorithm"?: string
7172							}]
7173						}]
7174
7175						// DryRun configuration
7176						"dryRun"?: {
7177							"enable"?:    bool
7178							"namespace"?: string
7179						}
7180
7181						// Fields which will be ignored while comparing manifests.
7182						"ignoreFields"?: [...{
7183							"fields"?: [...string]
7184							"objects"?: [...{
7185								"group"?:     string
7186								"kind"?:      string
7187								"name"?:      string
7188								"namespace"?: string
7189								"version"?:   string
7190							}]
7191						}]
7192
7193						// Repository is an optional alternate OCI repository to use for
7194						// resource bundle reference.
7195						// The repository can be overridden per Attestor or Attestation.
7196						"repository"?: string
7197					}
7198
7199					// Message specifies a custom message to be displayed on failure.
7200					"message"?: string
7201
7202					// Pattern specifies an overlay-style pattern used to check
7203					// resources.
7204					"pattern"?: null | bool | number | string | [...] | {
7205						...
7206					}
7207
7208					// PodSecurity applies exemptions for Kubernetes Pod Security
7209					// admission
7210					// by specifying exclusions for Pod Security Standards controls.
7211					"podSecurity"?: {
7212						// Exclude specifies the Pod Security Standard controls to be
7213						// excluded.
7214						"exclude"?: [...{
7215							// ControlName specifies the name of the Pod Security Standard
7216							// control.
7217							// See:
7218							// https://kubernetes.io/docs/concepts/security/pod-security-standards/
7219							"controlName"!: "HostProcess" | "Host Namespaces" | "Privileged Containers" | "Capabilities" | "HostPath Volumes" | "Host Ports" | "AppArmor" | "SELinux" | "/proc Mount Type" | "Seccomp" | "Sysctls" | "Volume Types" | "Privilege Escalation" | "Running as Non-root" | "Running as Non-root user"
7220
7221							// Images selects matching containers and applies the container
7222							// level PSS.
7223							// Each image is the image name consisting of the registry
7224							// address, repository, image, and tag.
7225							// Empty list matches no containers, PSS checks are applied at the
7226							// pod level only.
7227							// Wildcards ('*' and '?') are allowed. See:
7228							// https://kubernetes.io/docs/concepts/containers/images.
7229							"images"?: [...string]
7230
7231							// RestrictedField selects the field for the given Pod Security
7232							// Standard control.
7233							// When not set, all restricted fields for the control are
7234							// selected.
7235							"restrictedField"?: string
7236
7237							// Values defines the allowed values that can be excluded.
7238							"values"?: [...string]
7239						}]
7240
7241						// Level defines the Pod Security Standard level to be applied to
7242						// workloads.
7243						// Allowed values are privileged, baseline, and restricted.
7244						"level"?: "privileged" | "baseline" | "restricted"
7245
7246						// Version defines the Pod Security Standard versions that
7247						// Kubernetes supports.
7248						// Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
7249						// v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
7250						"version"?: "v1.19" | "v1.20" | "v1.21" | "v1.22" | "v1.23" | "v1.24" | "v1.25" | "v1.26" | "v1.27" | "v1.28" | "v1.29" | "latest"
7251					}
7252				}
7253
7254				// VerifyImages is used to verify image signatures and mutate them
7255				// to add a digest
7256				"verifyImages"?: [...{
7257					// Deprecated.
7258					"additionalExtensions"?: [string]: string
7259
7260					// Deprecated. Use annotations per Attestor instead.
7261					"annotations"?: {
7262						[string]: string
7263					}
7264
7265					// Attestations are optional checks for signed in-toto Statements
7266					// used to verify the image.
7267					// See https://github.com/in-toto/attestation. Kyverno fetches
7268					// signed attestations from the
7269					// OCI registry and decodes them into a list of Statement
7270					// declarations.
7271					"attestations"?: [...{
7272						// Attestors specify the required attestors (i.e. authorities).
7273						"attestors"?: [...{
7274							// Count specifies the required number of entries that must match.
7275							// If the count is null, all entries must match
7276							// (a logical AND). If the count is 1, at least one entry must
7277							// match (a logical OR). If the count contains a
7278							// value N, then N must be less than or equal to the size of
7279							// entries, and at least N entries must match.
7280							"count"?: int & >=1
7281
7282							// Entries contains the available attestors. An attestor can be a
7283							// static key,
7284							// attributes for keyless verification, or a nested attestor
7285							// declaration.
7286							"entries"?: [...{
7287								// Annotations are used for image verification.
7288								// Every specified key-value pair must exist and match in the
7289								// verified payload.
7290								// The payload may contain other key-value pairs.
7291								"annotations"?: [string]: string
7292
7293								// Attestor is a nested set of Attestor used to specify a more
7294								// complex set of match authorities.
7295								"attestor"?: null | bool | number | string | [...] | {
7296									...
7297								}
7298
7299								// Certificates specifies one or more certificates.
7300								"certificates"?: {
7301									// Cert is an optional PEM-encoded public certificate.
7302									"cert"?: string
7303
7304									// CertChain is an optional PEM encoded set of certificates used
7305									// to verify.
7306									"certChain"?: string
7307
7308									// CTLog (certificate timestamp log) provides a configuration for
7309									// validation of Signed Certificate
7310									// Timestamps (SCTs). If the value is unset, the default behavior
7311									// by Cosign is used.
7312									"ctlog"?: {
7313										// IgnoreSCT defines whether to use the Signed Certificate
7314										// Timestamp (SCT) log to check for a certificate
7315										// timestamp. Default is false. Set to true if this was opted out
7316										// during signing.
7317										"ignoreSCT"?: bool
7318
7319										// PubKey, if set, is used to validate SCTs against a custom
7320										// source.
7321										"pubkey"?: string
7322
7323										// TSACertChain, if set, is the PEM-encoded certificate chain file
7324										// for the RFC3161 timestamp authority. Must
7325										// contain the root CA certificate. Optionally may contain
7326										// intermediate CA certificates, and
7327										// may contain the leaf TSA certificate if not present in the
7328										// timestamurce.
7329										"tsaCertChain"?: string
7330									}
7331
7332									// Rekor provides configuration for the Rekor transparency log
7333									// service. If an empty object
7334									// is provided the public instance of Rekor
7335									// (https://rekor.sigstore.dev) is used.
7336									"rekor"?: {
7337										// IgnoreTlog skips transparency log verification.
7338										"ignoreTlog"?: bool
7339
7340										// RekorPubKey is an optional PEM-encoded public key to use for a
7341										// custom Rekor.
7342										// If set, this will be used to validate transparency log
7343										// signatures from a custom Rekor.
7344										"pubkey"?: string
7345
7346										// URL is the address of the transparency log. Defaults to the
7347										// public Rekor log instance https://rekor.sigstore.dev.
7348										"url"?: string
7349									}
7350								}
7351
7352								// Keyless is a set of attribute used to verify a Sigstore keyless
7353								// attestor.
7354								// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
7355								"keyless"?: {
7356									// AdditionalExtensions are certificate-extensions used for
7357									// keyless signing.
7358									"additionalExtensions"?: [string]: string
7359
7360									// CTLog (certificate timestamp log) provides a configuration for
7361									// validation of Signed Certificate
7362									// Timestamps (SCTs). If the value is unset, the default behavior
7363									// by Cosign is used.
7364									"ctlog"?: {
7365										// IgnoreSCT defines whether to use the Signed Certificate
7366										// Timestamp (SCT) log to check for a certificate
7367										// timestamp. Default is false. Set to true if this was opted out
7368										// during signing.
7369										"ignoreSCT"?: bool
7370
7371										// PubKey, if set, is used to validate SCTs against a custom
7372										// source.
7373										"pubkey"?: string
7374
7375										// TSACertChain, if set, is the PEM-encoded certificate chain file
7376										// for the RFC3161 timestamp authority. Must
7377										// contain the root CA certificate. Optionally may contain
7378										// intermediate CA certificates, and
7379										// may contain the leaf TSA certificate if not present in the
7380										// timestamurce.
7381										"tsaCertChain"?: string
7382									}
7383
7384									// Issuer is the certificate issuer used for keyless signing.
7385									"issuer"?: string
7386
7387									// IssuerRegExp is the regular expression to match certificate
7388									// issuer used for keyless signing.
7389									"issuerRegExp"?: string
7390
7391									// Rekor provides configuration for the Rekor transparency log
7392									// service. If an empty object
7393									// is provided the public instance of Rekor
7394									// (https://rekor.sigstore.dev) is used.
7395									"rekor"?: {
7396										// IgnoreTlog skips transparency log verification.
7397										"ignoreTlog"?: bool
7398
7399										// RekorPubKey is an optional PEM-encoded public key to use for a
7400										// custom Rekor.
7401										// If set, this will be used to validate transparency log
7402										// signatures from a custom Rekor.
7403										"pubkey"?: string
7404
7405										// URL is the address of the transparency log. Defaults to the
7406										// public Rekor log instance https://rekor.sigstore.dev.
7407										"url"?: string
7408									}
7409
7410									// Roots is an optional set of PEM encoded trusted root
7411									// certificates.
7412									// If not provided, the system roots are used.
7413									"roots"?: string
7414
7415									// Subject is the verified identity used for keyless signing, for
7416									// example the email address.
7417									"subject"?: string
7418
7419									// SubjectRegExp is the regular expression to match identity used
7420									// for keyless signing, for example the email address.
7421									"subjectRegExp"?: string
7422								}
7423
7424								// Keys specifies one or more public keys.
7425								"keys"?: {
7426									// CTLog (certificate timestamp log) provides a configuration for
7427									// validation of Signed Certificate
7428									// Timestamps (SCTs). If the value is unset, the default behavior
7429									// by Cosign is used.
7430									"ctlog"?: {
7431										// IgnoreSCT defines whether to use the Signed Certificate
7432										// Timestamp (SCT) log to check for a certificate
7433										// timestamp. Default is false. Set to true if this was opted out
7434										// during signing.
7435										"ignoreSCT"?: bool
7436
7437										// PubKey, if set, is used to validate SCTs against a custom
7438										// source.
7439										"pubkey"?: string
7440
7441										// TSACertChain, if set, is the PEM-encoded certificate chain file
7442										// for the RFC3161 timestamp authority. Must
7443										// contain the root CA certificate. Optionally may contain
7444										// intermediate CA certificates, and
7445										// may contain the leaf TSA certificate if not present in the
7446										// timestamurce.
7447										"tsaCertChain"?: string
7448									}
7449
7450									// KMS provides the URI to the public key stored in a Key
7451									// Management System. See:
7452									// https://github.com/sigstore/cosign/blob/main/KMS.md
7453									"kms"?: string
7454
7455									// Keys is a set of X.509 public keys used to verify image
7456									// signatures. The keys can be directly
7457									// specified or can be a variable reference to a key specified in
7458									// a ConfigMap (see
7459									// https://kyverno.io/docs/writing-policies/variables/), or
7460									// reference a standard Kubernetes Secret
7461									// elsewhere in the cluster by specifying it in the format
7462									// "k8s://<namespace>/<secret_name>".
7463									// The named Secret must specify a key `cosign.pub` containing the
7464									// public key used for
7465									// verification, (see
7466									// https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
7467									// When multiple keys are specified each key is processed as a
7468									// separate staticKey entry
7469									// (.attestors[*].entries.keys) within the set of attestors and
7470									// the count is applied across the keys.
7471									"publicKeys"?: string
7472
7473									// Rekor provides configuration for the Rekor transparency log
7474									// service. If an empty object
7475									// is provided the public instance of Rekor
7476									// (https://rekor.sigstore.dev) is used.
7477									"rekor"?: {
7478										// IgnoreTlog skips transparency log verification.
7479										"ignoreTlog"?: bool
7480
7481										// RekorPubKey is an optional PEM-encoded public key to use for a
7482										// custom Rekor.
7483										// If set, this will be used to validate transparency log
7484										// signatures from a custom Rekor.
7485										"pubkey"?: string
7486
7487										// URL is the address of the transparency log. Defaults to the
7488										// public Rekor log instance https://rekor.sigstore.dev.
7489										"url"?: string
7490									}
7491
7492									// Reference to a Secret resource that contains a public key
7493									"secret"?: {
7494										// Name of the secret. The provided secret must contain a key
7495										// named cosign.pub.
7496										"name"!: string
7497
7498										// Namespace name where the Secret exists.
7499										"namespace"!: string
7500									}
7501
7502									// Deprecated. Use attestor.signatureAlgorithm instead.
7503									"signatureAlgorithm"?: string
7504								}
7505
7506								// Repository is an optional alternate OCI repository to use for
7507								// signatures and attestations that match this rule.
7508								// If specified Repository will override other OCI image
7509								// repository locations for this Attestor.
7510								"repository"?: string
7511
7512								// Specify signature algorithm for public keys. Supported values
7513								// are sha224, sha256, sha384 and sha512.
7514								"signatureAlgorithm"?: string
7515							}]
7516						}]
7517
7518						// Conditions are used to verify attributes within a Predicate. If
7519						// no Conditions are specified
7520						// the attestation check is satisfied as long there are predicates
7521						// that match the predicate type.
7522						"conditions"?: [...{
7523							// AllConditions enable variable-based conditional rule execution.
7524							// This is useful for
7525							// finer control of when an rule is applied. A condition can
7526							// reference object data
7527							// using JMESPath notation.
7528							// Here, all of the conditions need to pass
7529							"all"?: [...{
7530								// Key is the context entry (using JMESPath) for conditional rule
7531								// evaluation.
7532								"key"?: null | bool | number | string | [...] | {
7533									...
7534								}
7535
7536								// Message is an optional display message
7537								"message"?: string
7538
7539								// Operator is the conditional operation to perform. Valid
7540								// operators are:
7541								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
7542								// GreaterThanOrEquals,
7543								// GreaterThan, LessThanOrEquals, LessThan,
7544								// DurationGreaterThanOrEquals, DurationGreaterThan,
7545								// DurationLessThanOrEquals, DurationLessThan
7546								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
7547
7548								// Value is the conditional value, or set of values. The values
7549								// can be fixed set
7550								// or can be variables declared using JMESPath.
7551								"value"?: null | bool | number | string | [...] | {
7552									...
7553								}
7554							}]
7555
7556							// AnyConditions enable variable-based conditional rule execution.
7557							// This is useful for
7558							// finer control of when an rule is applied. A condition can
7559							// reference object data
7560							// using JMESPath notation.
7561							// Here, at least one of the conditions need to pass
7562							"any"?: [...{
7563								// Key is the context entry (using JMESPath) for conditional rule
7564								// evaluation.
7565								"key"?: null | bool | number | string | [...] | {
7566									...
7567								}
7568
7569								// Message is an optional display message
7570								"message"?: string
7571
7572								// Operator is the conditional operation to perform. Valid
7573								// operators are:
7574								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
7575								// GreaterThanOrEquals,
7576								// GreaterThan, LessThanOrEquals, LessThan,
7577								// DurationGreaterThanOrEquals, DurationGreaterThan,
7578								// DurationLessThanOrEquals, DurationLessThan
7579								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
7580
7581								// Value is the conditional value, or set of values. The values
7582								// can be fixed set
7583								// or can be variables declared using JMESPath.
7584								"value"?: null | bool | number | string | [...] | {
7585									...
7586								}
7587							}]
7588						}]
7589
7590						// Name is the variable name.
7591						"name"?: string
7592
7593						// Deprecated in favour of 'Type', to be removed soon
7594						"predicateType"?: string
7595
7596						// Type defines the type of attestation contained within the
7597						// Statement.
7598						"type"?: string
7599					}]
7600
7601					// Attestors specified the required attestors (i.e. authorities)
7602					"attestors"?: [...{
7603						// Count specifies the required number of entries that must match.
7604						// If the count is null, all entries must match
7605						// (a logical AND). If the count is 1, at least one entry must
7606						// match (a logical OR). If the count contains a
7607						// value N, then N must be less than or equal to the size of
7608						// entries, and at least N entries must match.
7609						"count"?: int & >=1
7610
7611						// Entries contains the available attestors. An attestor can be a
7612						// static key,
7613						// attributes for keyless verification, or a nested attestor
7614						// declaration.
7615						"entries"?: [...{
7616							// Annotations are used for image verification.
7617							// Every specified key-value pair must exist and match in the
7618							// verified payload.
7619							// The payload may contain other key-value pairs.
7620							"annotations"?: [string]: string
7621
7622							// Attestor is a nested set of Attestor used to specify a more
7623							// complex set of match authorities.
7624							"attestor"?: null | bool | number | string | [...] | {
7625								...
7626							}
7627
7628							// Certificates specifies one or more certificates.
7629							"certificates"?: {
7630								// Cert is an optional PEM-encoded public certificate.
7631								"cert"?: string
7632
7633								// CertChain is an optional PEM encoded set of certificates used
7634								// to verify.
7635								"certChain"?: string
7636
7637								// CTLog (certificate timestamp log) provides a configuration for
7638								// validation of Signed Certificate
7639								// Timestamps (SCTs). If the value is unset, the default behavior
7640								// by Cosign is used.
7641								"ctlog"?: {
7642									// IgnoreSCT defines whether to use the Signed Certificate
7643									// Timestamp (SCT) log to check for a certificate
7644									// timestamp. Default is false. Set to true if this was opted out
7645									// during signing.
7646									"ignoreSCT"?: bool
7647
7648									// PubKey, if set, is used to validate SCTs against a custom
7649									// source.
7650									"pubkey"?: string
7651
7652									// TSACertChain, if set, is the PEM-encoded certificate chain file
7653									// for the RFC3161 timestamp authority. Must
7654									// contain the root CA certificate. Optionally may contain
7655									// intermediate CA certificates, and
7656									// may contain the leaf TSA certificate if not present in the
7657									// timestamurce.
7658									"tsaCertChain"?: string
7659								}
7660
7661								// Rekor provides configuration for the Rekor transparency log
7662								// service. If an empty object
7663								// is provided the public instance of Rekor
7664								// (https://rekor.sigstore.dev) is used.
7665								"rekor"?: {
7666									// IgnoreTlog skips transparency log verification.
7667									"ignoreTlog"?: bool
7668
7669									// RekorPubKey is an optional PEM-encoded public key to use for a
7670									// custom Rekor.
7671									// If set, this will be used to validate transparency log
7672									// signatures from a custom Rekor.
7673									"pubkey"?: string
7674
7675									// URL is the address of the transparency log. Defaults to the
7676									// public Rekor log instance https://rekor.sigstore.dev.
7677									"url"?: string
7678								}
7679							}
7680
7681							// Keyless is a set of attribute used to verify a Sigstore keyless
7682							// attestor.
7683							// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
7684							"keyless"?: {
7685								// AdditionalExtensions are certificate-extensions used for
7686								// keyless signing.
7687								"additionalExtensions"?: [string]: string
7688
7689								// CTLog (certificate timestamp log) provides a configuration for
7690								// validation of Signed Certificate
7691								// Timestamps (SCTs). If the value is unset, the default behavior
7692								// by Cosign is used.
7693								"ctlog"?: {
7694									// IgnoreSCT defines whether to use the Signed Certificate
7695									// Timestamp (SCT) log to check for a certificate
7696									// timestamp. Default is false. Set to true if this was opted out
7697									// during signing.
7698									"ignoreSCT"?: bool
7699
7700									// PubKey, if set, is used to validate SCTs against a custom
7701									// source.
7702									"pubkey"?: string
7703
7704									// TSACertChain, if set, is the PEM-encoded certificate chain file
7705									// for the RFC3161 timestamp authority. Must
7706									// contain the root CA certificate. Optionally may contain
7707									// intermediate CA certificates, and
7708									// may contain the leaf TSA certificate if not present in the
7709									// timestamurce.
7710									"tsaCertChain"?: string
7711								}
7712
7713								// Issuer is the certificate issuer used for keyless signing.
7714								"issuer"?: string
7715
7716								// IssuerRegExp is the regular expression to match certificate
7717								// issuer used for keyless signing.
7718								"issuerRegExp"?: string
7719
7720								// Rekor provides configuration for the Rekor transparency log
7721								// service. If an empty object
7722								// is provided the public instance of Rekor
7723								// (https://rekor.sigstore.dev) is used.
7724								"rekor"?: {
7725									// IgnoreTlog skips transparency log verification.
7726									"ignoreTlog"?: bool
7727
7728									// RekorPubKey is an optional PEM-encoded public key to use for a
7729									// custom Rekor.
7730									// If set, this will be used to validate transparency log
7731									// signatures from a custom Rekor.
7732									"pubkey"?: string
7733
7734									// URL is the address of the transparency log. Defaults to the
7735									// public Rekor log instance https://rekor.sigstore.dev.
7736									"url"?: string
7737								}
7738
7739								// Roots is an optional set of PEM encoded trusted root
7740								// certificates.
7741								// If not provided, the system roots are used.
7742								"roots"?: string
7743
7744								// Subject is the verified identity used for keyless signing, for
7745								// example the email address.
7746								"subject"?: string
7747
7748								// SubjectRegExp is the regular expression to match identity used
7749								// for keyless signing, for example the email address.
7750								"subjectRegExp"?: string
7751							}
7752
7753							// Keys specifies one or more public keys.
7754							"keys"?: {
7755								// CTLog (certificate timestamp log) provides a configuration for
7756								// validation of Signed Certificate
7757								// Timestamps (SCTs). If the value is unset, the default behavior
7758								// by Cosign is used.
7759								"ctlog"?: {
7760									// IgnoreSCT defines whether to use the Signed Certificate
7761									// Timestamp (SCT) log to check for a certificate
7762									// timestamp. Default is false. Set to true if this was opted out
7763									// during signing.
7764									"ignoreSCT"?: bool
7765
7766									// PubKey, if set, is used to validate SCTs against a custom
7767									// source.
7768									"pubkey"?: string
7769
7770									// TSACertChain, if set, is the PEM-encoded certificate chain file
7771									// for the RFC3161 timestamp authority. Must
7772									// contain the root CA certificate. Optionally may contain
7773									// intermediate CA certificates, and
7774									// may contain the leaf TSA certificate if not present in the
7775									// timestamurce.
7776									"tsaCertChain"?: string
7777								}
7778
7779								// KMS provides the URI to the public key stored in a Key
7780								// Management System. See:
7781								// https://github.com/sigstore/cosign/blob/main/KMS.md
7782								"kms"?: string
7783
7784								// Keys is a set of X.509 public keys used to verify image
7785								// signatures. The keys can be directly
7786								// specified or can be a variable reference to a key specified in
7787								// a ConfigMap (see
7788								// https://kyverno.io/docs/writing-policies/variables/), or
7789								// reference a standard Kubernetes Secret
7790								// elsewhere in the cluster by specifying it in the format
7791								// "k8s://<namespace>/<secret_name>".
7792								// The named Secret must specify a key `cosign.pub` containing the
7793								// public key used for
7794								// verification, (see
7795								// https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
7796								// When multiple keys are specified each key is processed as a
7797								// separate staticKey entry
7798								// (.attestors[*].entries.keys) within the set of attestors and
7799								// the count is applied across the keys.
7800								"publicKeys"?: string
7801
7802								// Rekor provides configuration for the Rekor transparency log
7803								// service. If an empty object
7804								// is provided the public instance of Rekor
7805								// (https://rekor.sigstore.dev) is used.
7806								"rekor"?: {
7807									// IgnoreTlog skips transparency log verification.
7808									"ignoreTlog"?: bool
7809
7810									// RekorPubKey is an optional PEM-encoded public key to use for a
7811									// custom Rekor.
7812									// If set, this will be used to validate transparency log
7813									// signatures from a custom Rekor.
7814									"pubkey"?: string
7815
7816									// URL is the address of the transparency log. Defaults to the
7817									// public Rekor log instance https://rekor.sigstore.dev.
7818									"url"?: string
7819								}
7820
7821								// Reference to a Secret resource that contains a public key
7822								"secret"?: {
7823									// Name of the secret. The provided secret must contain a key
7824									// named cosign.pub.
7825									"name"!: string
7826
7827									// Namespace name where the Secret exists.
7828									"namespace"!: string
7829								}
7830
7831								// Deprecated. Use attestor.signatureAlgorithm instead.
7832								"signatureAlgorithm"?: string
7833							}
7834
7835							// Repository is an optional alternate OCI repository to use for
7836							// signatures and attestations that match this rule.
7837							// If specified Repository will override other OCI image
7838							// repository locations for this Attestor.
7839							"repository"?: string
7840
7841							// Specify signature algorithm for public keys. Supported values
7842							// are sha224, sha256, sha384 and sha512.
7843							"signatureAlgorithm"?: string
7844						}]
7845					}]
7846
7847					// CosignOCI11 enables the experimental OCI 1.1 behaviour in
7848					// cosign image verification.
7849					// Defaults to false.
7850					"cosignOCI11"?: bool
7851
7852					// Allowed values are Audit or Enforce.
7853					"failureAction"?: "Audit" | "Enforce"
7854
7855					// Deprecated. Use ImageReferences instead.
7856					"image"?: string
7857
7858					// ImageReferences is a list of matching image reference patterns.
7859					// At least one pattern in the
7860					// list must match the image for the rule to apply. Each image
7861					// reference consists of a registry
7862					// address (defaults to docker.io), repository, image, and tag
7863					// (defaults to latest).
7864					// Wildcards ('*' and '?') are allowed. See:
7865					// https://kubernetes.io/docs/concepts/containers/images.
7866					"imageReferences"?: [...string]
7867
7868					// ImageRegistryCredentials provides credentials that will be used
7869					// for authentication with registry.
7870					"imageRegistryCredentials"?: {
7871						// AllowInsecureRegistry allows insecure access to a registry.
7872						"allowInsecureRegistry"?: bool
7873
7874						// Providers specifies a list of OCI Registry names, whose
7875						// authentication providers are provided.
7876						// It can be of one of these values:
7877						// default,google,azure,amazon,github.
7878						"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
7879
7880						// Secrets specifies a list of secrets that are provided for
7881						// credentials.
7882						// Secrets must live in the Kyverno namespace.
7883						"secrets"?: [...string]
7884					}
7885
7886					// Deprecated. Use KeylessAttestor instead.
7887					"issuer"?: string
7888
7889					// Deprecated. Use StaticKeyAttestor instead.
7890					"key"?: string
7891
7892					// MutateDigest enables replacement of image tags with digests.
7893					// Defaults to true.
7894					"mutateDigest"?: bool
7895
7896					// Repository is an optional alternate OCI repository to use for
7897					// image signatures and attestations that match this rule.
7898					// If specified Repository will override the default OCI image
7899					// repository configured for the installation.
7900					// The repository can also be overridden per Attestor or
7901					// Attestation.
7902					"repository"?: string
7903
7904					// Required validates that images are verified i.e. have matched
7905					// passed a signature or attestation check.
7906					"required"?: bool
7907
7908					// Deprecated. Use KeylessAttestor instead.
7909					"roots"?: string
7910
7911					// SkipImageReferences is a list of matching image reference
7912					// patterns that should be skipped.
7913					// At least one pattern in the list must match the image for the
7914					// rule to be skipped. Each image reference
7915					// consists of a registry address (defaults to docker.io),
7916					// repository, image, and tag (defaults to latest).
7917					// Wildcards ('*' and '?') are allowed. See:
7918					// https://kubernetes.io/docs/concepts/containers/images.
7919					"skipImageReferences"?: [...string]
7920
7921					// Deprecated. Use KeylessAttestor instead.
7922					"subject"?: string
7923
7924					// Type specifies the method of signature validation. The allowed
7925					// options
7926					// are Cosign, Sigstore Bundle and Notary. By default Cosign is
7927					// used if a type is not specified.
7928					"type"?: "Cosign" | "SigstoreBundle" | "Notary"
7929
7930					// UseCache enables caching of image verify responses for this
7931					// rule.
7932					"useCache"?: bool
7933
7934					// Validation checks conditions across multiple image
7935					// verification attestations or context entries
7936					"validate"?: {
7937						// Deny defines conditions used to pass or fail a validation rule.
7938						"deny"?: {
7939							// Multiple conditions can be declared under an `any` or `all`
7940							// statement. A direct list
7941							// of conditions (without `any` or `all` statements) is also
7942							// supported for backwards compatibility
7943							// but will be deprecated in the next major release.
7944							// See:
7945							// https://kyverno.io/docs/writing-policies/validate/#deny-rules
7946							"conditions"?: null | bool | number | string | [...] | {
7947								...
7948							}
7949						}
7950
7951						// Message specifies a custom message to be displayed on failure.
7952						"message"?: string
7953					}
7954
7955					// VerifyDigest validates that images have a digest.
7956					"verifyDigest"?: bool
7957				}]
7958			}]
7959		}
7960		"conditions"?: [...{
7961			// lastTransitionTime is the last time the condition transitioned
7962			// from one status to another.
7963			// This should be when the underlying condition changed. If that
7964			// is not known, then using the time when the API field changed
7965			// is acceptable.
7966			"lastTransitionTime"!: time.Time
7967
7968			// message is a human readable message indicating details about
7969			// the transition.
7970			// This may be an empty string.
7971			"message"!: strings.MaxRunes(
7972					32768)
7973
7974			// observedGeneration represents the .metadata.generation that the
7975			// condition was set based upon.
7976			// For instance, if .metadata.generation is currently 12, but the
7977			// .status.conditions[x].observedGeneration is 9, the condition
7978			// is out of date
7979			// with respect to the current state of the instance.
7980			"observedGeneration"?: int64 & int & >=0
7981
7982			// reason contains a programmatic identifier indicating the reason
7983			// for the condition's last transition.
7984			// Producers of specific condition types may define expected
7985			// values and meanings for this field,
7986			// and whether the values are considered a guaranteed API.
7987			// The value should be a CamelCase string.
7988			// This field may not be empty.
7989			"reason"!: strings.MaxRunes(
7990					1024) & strings.MinRunes(
7991					1) & =~"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"
7992
7993			// status of the condition, one of True, False, Unknown.
7994			"status"!: "True" | "False" | "Unknown"
7995
7996			// type of condition in CamelCase or in foo.example.com/CamelCase.
7997			"type"!: strings.MaxRunes(
7998					316) & =~"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"
7999		}]
8000
8001		// Deprecated in favor of Conditions
8002		"ready"?: bool
8003
8004		// RuleCountStatus contains four variables which describes counts
8005		// for
8006		// validate, generate, mutate and verify images rules
8007		"rulecount"?: {
8008			// Count for generate rules in policy
8009			"generate"!: int
8010
8011			// Count for mutate rules in policy
8012			"mutate"!: int
8013
8014			// Count for validate rules in policy
8015			"validate"!: int
8016
8017			// Count for verify image rules in policy
8018			"verifyimages"!: int
8019		}
8020
8021		// ValidatingAdmissionPolicy contains status information
8022		"validatingadmissionpolicy"?: {
8023			// Generated indicates whether a validating admission policy is
8024			// generated from the policy or not
8025			"generated"!: bool
8026
8027			// Message is a human readable message indicating details about
8028			// the generation of validating admission policy
8029			// It is an empty string when validating admission policy is
8030			// successfully generated.
8031			"message"!: string
8032		}
8033	}
8034
8035	_embeddedResource: {
8036		"apiVersion"!: string
8037		"kind"!:       string
8038		"metadata"?: {
8039			...
8040		}
8041	}
8042	apiVersion: "kyverno.io/v2beta1"
8043	kind:       "ClusterPolicy"
8044	metadata!: {
8045		"name"!:      string
8046		"namespace"?: string
8047		"labels"?: {
8048			[string]: string
8049		}
8050		"annotations"?: {
8051			[string]: string
8052		}
8053		...
8054	}
8055}