cue.dev/x/kyverno@v0.4.0

policy/v1/schema.cue raw

   1package v1
   2
   3import (
   4	"strings"
   5	"time"
   6)
   7
   8// Policy declares validation, mutation, and generation behaviors
   9// for matching resources.
  10// See: https://kyverno.io/docs/writing-policies/ for more
  11// information.
  12#Policy: {
  13	_embeddedResource
  14
  15	// APIVersion defines the versioned schema of this representation
  16	// of an object.
  17	// Servers should convert recognized schemas to the latest
  18	// internal value, and
  19	// may reject unrecognized values.
  20	// More info:
  21	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  22	"apiVersion"?: string
  23
  24	// Kind is a string value representing the REST resource this
  25	// object represents.
  26	// Servers may infer this from the endpoint the client submits
  27	// requests to.
  28	// Cannot be updated.
  29	// In CamelCase.
  30	// More info:
  31	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  32	"kind"?: string
  33	"metadata"?: {}
  34
  35	// Spec defines policy behaviors and contains one or more rules.
  36	"spec"!: {
  37		// Admission controls if rules are applied during admission.
  38		// Optional. Default value is "true".
  39		"admission"?: bool
  40
  41		// ApplyRules controls how rules in a policy are applied. Rule are
  42		// processed in
  43		// the order of declaration. When set to `One` processing stops
  44		// after a rule has
  45		// been applied i.e. the rule matches and results in a pass, fail,
  46		// or error. When
  47		// set to `All` all rules in the policy are processed. The default
  48		// is `All`.
  49		"applyRules"?: "All" | "One"
  50
  51		// Background controls if rules are applied to existing resources
  52		// during a background scan.
  53		// Optional. Default value is "true". The value must be set to
  54		// "false" if the policy rule
  55		// uses variables that are only available in the admission review
  56		// request (e.g. user name).
  57		"background"?: bool
  58
  59		// EmitWarning enables API response warnings for mutate policy
  60		// rules or validate policy rules with validationFailureAction
  61		// set to Audit.
  62		// Enabling this option will extend admission request processing
  63		// times. The default value is "false".
  64		"emitWarning"?: bool
  65
  66		// Deprecated, use failurePolicy under the webhookConfiguration
  67		// instead.
  68		"failurePolicy"?: "Ignore" | "Fail"
  69
  70		// Deprecated, use generateExisting under the generate rule
  71		// instead
  72		"generateExisting"?: bool
  73
  74		// Deprecated, use generateExisting instead
  75		"generateExistingOnPolicyUpdate"?: bool
  76
  77		// Deprecated, use mutateExistingOnPolicyUpdate under the mutate
  78		// rule instead
  79		"mutateExistingOnPolicyUpdate"?: bool
  80
  81		// Rules is a list of Rule instances. A Policy contains multiple
  82		// rules and
  83		// each rule can validate, mutate, or generate resources.
  84		"rules"?: [...{
  85			// CELPreconditions are used to determine if a policy rule should
  86			// be applied by evaluating a
  87			// set of CEL conditions. It can only be used with the
  88			// validate.cel subrule
  89			"celPreconditions"?: [...{
  90				// Expression represents the expression which will be evaluated by
  91				// CEL. Must evaluate to bool.
  92				// CEL expressions have access to the contents of the
  93				// AdmissionRequest and Authorizer, organized into CEL variables:
  94				//
  95				// 'object' - The object from the incoming request. The value is
  96				// null for DELETE requests.
  97				// 'oldObject' - The existing object. The value is null for CREATE
  98				// requests.
  99				// 'request' - Attributes of the admission
 100				// request(/pkg/apis/admission/types.go#AdmissionRequest).
 101				// 'authorizer' - A CEL Authorizer. May be used to perform
 102				// authorization checks for the principal (user or service
 103				// account) of the request.
 104				// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
 105				// 'authorizer.requestResource' - A CEL ResourceCheck constructed
 106				// from the 'authorizer' and configured with the
 107				// request resource.
 108				// Documentation on CEL:
 109				// https://kubernetes.io/docs/reference/using-api/cel/
 110				//
 111				// Required.
 112				"expression"!: string
 113
 114				// Name is an identifier for this match condition, used for
 115				// strategic merging of MatchConditions,
 116				// as well as providing an identifier for logging purposes. A good
 117				// name should be descriptive of
 118				// the associated expression.
 119				// Name must be a qualified name consisting of alphanumeric
 120				// characters, '-', '_' or '.', and
 121				// must start and end with an alphanumeric character (e.g.
 122				// 'MyName', or 'my.name', or
 123				// '123-abc', regex used for validation is
 124				// '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
 125				// optional DNS subdomain prefix and '/' (e.g.
 126				// 'example.com/MyName')
 127				//
 128				// Required.
 129				"name"!: string
 130			}]
 131
 132			// Context defines variables and data sources that can be used
 133			// during rule execution.
 134			"context"?: [...matchN(1, [{
 135				"configMap"!: _
 136			}, {
 137				"apiCall"!: _
 138			}, {
 139				"imageRegistry"!: _
 140			}, {
 141				"variable"!: _
 142			}, {
 143				"globalReference"!: _
 144			}]) & {
 145				// APICall is an HTTP request to the Kubernetes API server, or
 146				// other JSON web service.
 147				// The data returned is stored in the context with the name for
 148				// the context entry.
 149				"apiCall"?: {
 150					// The data object specifies the POST data sent to the server.
 151					// Only applicable when the method field is set to POST.
 152					"data"?: [...{
 153						// Key is a unique identifier for the data value
 154						"key"!: string
 155
 156						// Value is the data value
 157						"value"!: null | bool | number | string | [...] | {
 158							...
 159						}
 160					}]
 161
 162					// Default is an optional arbitrary JSON object that the context
 163					// value is set to, if the apiCall returns error.
 164					"default"?: null | bool | number | string | [...] | {
 165						...
 166					}
 167
 168					// JMESPath is an optional JSON Match Expression that can be used
 169					// to
 170					// transform the JSON response returned from the server. For
 171					// example
 172					// a JMESPath of "items | length(@)" applied to the API server
 173					// response
 174					// for the URLPath "/apis/apps/v1/deployments" will return the
 175					// total count
 176					// of deployments across all namespaces.
 177					"jmesPath"?: string
 178
 179					// Method is the HTTP request type (GET or POST). Defaults to GET.
 180					"method"?: "GET" | "POST"
 181
 182					// Service is an API call to a JSON web service.
 183					// This is used for non-Kubernetes API server calls.
 184					// It's mutually exclusive with the URLPath field.
 185					"service"?: {
 186						// CABundle is a PEM encoded CA bundle which will be used to
 187						// validate
 188						// the server certificate.
 189						"caBundle"?: string
 190
 191						// Headers is a list of optional HTTP headers to be included in
 192						// the request.
 193						"headers"?: [...{
 194							// Key is the header key
 195							"key"!: string
 196
 197							// Value is the header value
 198							"value"!: string
 199						}]
 200
 201						// URL is the JSON web service URL. A typical form is
 202						// `https://{service}.{namespace}:{port}/{path}`.
 203						"url"!: string
 204					}
 205
 206					// URLPath is the URL path to be used in the HTTP GET or POST
 207					// request to the
 208					// Kubernetes API server (e.g. "/api/v1/namespaces" or
 209					// "/apis/apps/v1/deployments").
 210					// The format required is the same format used by the `kubectl get
 211					// --raw` command.
 212					// See
 213					// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
 214					// for details.
 215					// It's mutually exclusive with the Service field.
 216					"urlPath"?: string
 217				}
 218
 219				// ConfigMap is the ConfigMap reference.
 220				"configMap"?: {
 221					// Name is the ConfigMap name.
 222					"name"!: string
 223
 224					// Namespace is the ConfigMap namespace.
 225					"namespace"?: string
 226				}
 227
 228				// GlobalContextEntryReference is a reference to a cached global
 229				// context entry.
 230				"globalReference"?: {
 231					// JMESPath is an optional JSON Match Expression that can be used
 232					// to
 233					// transform the JSON response returned from the server. For
 234					// example
 235					// a JMESPath of "items | length(@)" applied to the API server
 236					// response
 237					// for the URLPath "/apis/apps/v1/deployments" will return the
 238					// total count
 239					// of deployments across all namespaces.
 240					"jmesPath"?: string
 241
 242					// Name of the global context entry
 243					"name"!: string
 244				}
 245
 246				// ImageRegistry defines requests to an OCI/Docker V2 registry to
 247				// fetch image
 248				// details.
 249				"imageRegistry"?: {
 250					// ImageRegistryCredentials provides credentials that will be used
 251					// for authentication with registry
 252					"imageRegistryCredentials"?: {
 253						// AllowInsecureRegistry allows insecure access to a registry.
 254						"allowInsecureRegistry"?: bool
 255
 256						// Providers specifies a list of OCI Registry names, whose
 257						// authentication providers are provided.
 258						// It can be of one of these values:
 259						// default,google,azure,amazon,github.
 260						"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
 261
 262						// Secrets specifies a list of secrets that are provided for
 263						// credentials.
 264						// Secrets must live in the Kyverno namespace.
 265						"secrets"?: [...string]
 266					}
 267
 268					// JMESPath is an optional JSON Match Expression that can be used
 269					// to
 270					// transform the ImageData struct returned as a result of
 271					// processing
 272					// the image reference.
 273					"jmesPath"?: string
 274
 275					// Reference is image reference to a container image in the
 276					// registry.
 277					// Example: ghcr.io/kyverno/kyverno:latest
 278					"reference"!: string
 279				}
 280
 281				// Name is the variable name.
 282				"name"!: string
 283
 284				// Variable defines an arbitrary JMESPath context variable that
 285				// can be defined inline.
 286				"variable"?: {
 287					// Default is an optional arbitrary JSON object that the variable
 288					// may take if the JMESPath
 289					// expression evaluates to nil
 290					"default"?: null | bool | number | string | [...] | {
 291						...
 292					}
 293
 294					// JMESPath is an optional JMESPath Expression that can be used to
 295					// transform the variable.
 296					"jmesPath"?: string
 297
 298					// Value is any arbitrary JSON object representable in YAML or
 299					// JSON form.
 300					"value"?: null | bool | number | string | [...] | {
 301						...
 302					}
 303				}
 304			}]
 305
 306			// ExcludeResources defines when this policy rule should not be
 307			// applied. The exclude
 308			// criteria can include resource information (e.g. kind, name,
 309			// namespace, labels)
 310			// and admission review request information like the name or role.
 311			"exclude"?: matchN(0, [null | bool | number | string | [...] | {
 312				"any"!: _
 313				"all"!: _
 314			}]) & {
 315				// All allows specifying resources which will be ANDed
 316				"all"?: [...{
 317					// ClusterRoles is the list of cluster-wide role names for the
 318					// user.
 319					"clusterRoles"?: [...string]
 320
 321					// ResourceDescription contains information about the resource
 322					// being created or modified.
 323					"resources"?: matchN(0, [null | bool | number | string | [...] | {
 324						"name"!:  _
 325						"names"!: _
 326					}]) & {
 327						// Annotations is a map of annotations (key-value pairs of type
 328						// string). Annotation keys
 329						// and values support the wildcard characters "*" (matches zero or
 330						// many characters) and
 331						// "?" (matches at least one character).
 332						"annotations"?: [string]: string
 333
 334						// Kinds is a list of resource kinds.
 335						"kinds"?: [...string]
 336
 337						// Name is the name of the resource. The name supports wildcard
 338						// characters
 339						// "*" (matches zero or many characters) and "?" (at least one
 340						// character).
 341						// NOTE: "Name" is being deprecated in favor of "Names".
 342						"name"?: string
 343
 344						// Names are the names of the resources. Each name supports
 345						// wildcard characters
 346						// "*" (matches zero or many characters) and "?" (at least one
 347						// character).
 348						"names"?: [...string]
 349
 350						// NamespaceSelector is a label selector for the resource
 351						// namespace. Label keys and values
 352						// in `matchLabels` support the wildcard characters `*` (matches
 353						// zero or many characters)
 354						// and `?` (matches one character).Wildcards allows writing label
 355						// selectors like
 356						// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
 357						// any key and value but
 358						// does not match an empty label set.
 359						"namespaceSelector"?: {
 360							// matchExpressions is a list of label selector requirements. The
 361							// requirements are ANDed.
 362							"matchExpressions"?: [...{
 363								// key is the label key that the selector applies to.
 364								"key"!: string
 365
 366								// operator represents a key's relationship to a set of values.
 367								// Valid operators are In, NotIn, Exists and DoesNotExist.
 368								"operator"!: string
 369
 370								// values is an array of string values. If the operator is In or
 371								// NotIn,
 372								// the values array must be non-empty. If the operator is Exists
 373								// or DoesNotExist,
 374								// the values array must be empty. This array is replaced during a
 375								// strategic
 376								// merge patch.
 377								"values"?: [...string]
 378							}]
 379
 380							// matchLabels is a map of {key,value} pairs. A single {key,value}
 381							// in the matchLabels
 382							// map is equivalent to an element of matchExpressions, whose key
 383							// field is "key", the
 384							// operator is "In", and the values array contains only "value".
 385							// The requirements are ANDed.
 386							"matchLabels"?: {
 387								[string]: string
 388							}
 389						}
 390
 391						// Namespaces is a list of namespaces names. Each name supports
 392						// wildcard characters
 393						// "*" (matches zero or many characters) and "?" (at least one
 394						// character).
 395						"namespaces"?: [...string]
 396
 397						// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
 398						// "DELETE"], which are used to match a specific action.
 399						"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
 400
 401						// Selector is a label selector. Label keys and values in
 402						// `matchLabels` support the wildcard
 403						// characters `*` (matches zero or many characters) and `?`
 404						// (matches one character).
 405						// Wildcards allows writing label selectors like
 406						// ["storage.k8s.io/*": "*"]. Note that
 407						// using ["*" : "*"] matches any key and value but does not match
 408						// an empty label set.
 409						"selector"?: {
 410							// matchExpressions is a list of label selector requirements. The
 411							// requirements are ANDed.
 412							"matchExpressions"?: [...{
 413								// key is the label key that the selector applies to.
 414								"key"!: string
 415
 416								// operator represents a key's relationship to a set of values.
 417								// Valid operators are In, NotIn, Exists and DoesNotExist.
 418								"operator"!: string
 419
 420								// values is an array of string values. If the operator is In or
 421								// NotIn,
 422								// the values array must be non-empty. If the operator is Exists
 423								// or DoesNotExist,
 424								// the values array must be empty. This array is replaced during a
 425								// strategic
 426								// merge patch.
 427								"values"?: [...string]
 428							}]
 429
 430							// matchLabels is a map of {key,value} pairs. A single {key,value}
 431							// in the matchLabels
 432							// map is equivalent to an element of matchExpressions, whose key
 433							// field is "key", the
 434							// operator is "In", and the values array contains only "value".
 435							// The requirements are ANDed.
 436							"matchLabels"?: {
 437								[string]: string
 438							}
 439						}
 440					}
 441
 442					// Roles is the list of namespaced role names for the user.
 443					"roles"?: [...string]
 444
 445					// Subjects is the list of subject names like users, user groups,
 446					// and service accounts.
 447					"subjects"?: [...{
 448						// APIGroup holds the API group of the referenced subject.
 449						// Defaults to "" for ServiceAccount subjects.
 450						// Defaults to "rbac.authorization.k8s.io" for User and Group
 451						// subjects.
 452						"apiGroup"?: string
 453
 454						// Kind of object being referenced. Values defined by this API
 455						// group are "User", "Group", and "ServiceAccount".
 456						// If the Authorizer does not recognized the kind value, the
 457						// Authorizer should report an error.
 458						"kind"!: string
 459
 460						// Name of the object being referenced.
 461						"name"!: string
 462
 463						// Namespace of the referenced object. If the object kind is
 464						// non-namespace, such as "User" or "Group", and this value is
 465						// not empty
 466						// the Authorizer should report an error.
 467						"namespace"?: string
 468					}]
 469				}]
 470
 471				// Any allows specifying resources which will be ORed
 472				"any"?: [...{
 473					// ClusterRoles is the list of cluster-wide role names for the
 474					// user.
 475					"clusterRoles"?: [...string]
 476
 477					// ResourceDescription contains information about the resource
 478					// being created or modified.
 479					"resources"?: matchN(0, [null | bool | number | string | [...] | {
 480						"name"!:  _
 481						"names"!: _
 482					}]) & {
 483						// Annotations is a map of annotations (key-value pairs of type
 484						// string). Annotation keys
 485						// and values support the wildcard characters "*" (matches zero or
 486						// many characters) and
 487						// "?" (matches at least one character).
 488						"annotations"?: [string]: string
 489
 490						// Kinds is a list of resource kinds.
 491						"kinds"?: [...string]
 492
 493						// Name is the name of the resource. The name supports wildcard
 494						// characters
 495						// "*" (matches zero or many characters) and "?" (at least one
 496						// character).
 497						// NOTE: "Name" is being deprecated in favor of "Names".
 498						"name"?: string
 499
 500						// Names are the names of the resources. Each name supports
 501						// wildcard characters
 502						// "*" (matches zero or many characters) and "?" (at least one
 503						// character).
 504						"names"?: [...string]
 505
 506						// NamespaceSelector is a label selector for the resource
 507						// namespace. Label keys and values
 508						// in `matchLabels` support the wildcard characters `*` (matches
 509						// zero or many characters)
 510						// and `?` (matches one character).Wildcards allows writing label
 511						// selectors like
 512						// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
 513						// any key and value but
 514						// does not match an empty label set.
 515						"namespaceSelector"?: {
 516							// matchExpressions is a list of label selector requirements. The
 517							// requirements are ANDed.
 518							"matchExpressions"?: [...{
 519								// key is the label key that the selector applies to.
 520								"key"!: string
 521
 522								// operator represents a key's relationship to a set of values.
 523								// Valid operators are In, NotIn, Exists and DoesNotExist.
 524								"operator"!: string
 525
 526								// values is an array of string values. If the operator is In or
 527								// NotIn,
 528								// the values array must be non-empty. If the operator is Exists
 529								// or DoesNotExist,
 530								// the values array must be empty. This array is replaced during a
 531								// strategic
 532								// merge patch.
 533								"values"?: [...string]
 534							}]
 535
 536							// matchLabels is a map of {key,value} pairs. A single {key,value}
 537							// in the matchLabels
 538							// map is equivalent to an element of matchExpressions, whose key
 539							// field is "key", the
 540							// operator is "In", and the values array contains only "value".
 541							// The requirements are ANDed.
 542							"matchLabels"?: {
 543								[string]: string
 544							}
 545						}
 546
 547						// Namespaces is a list of namespaces names. Each name supports
 548						// wildcard characters
 549						// "*" (matches zero or many characters) and "?" (at least one
 550						// character).
 551						"namespaces"?: [...string]
 552
 553						// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
 554						// "DELETE"], which are used to match a specific action.
 555						"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
 556
 557						// Selector is a label selector. Label keys and values in
 558						// `matchLabels` support the wildcard
 559						// characters `*` (matches zero or many characters) and `?`
 560						// (matches one character).
 561						// Wildcards allows writing label selectors like
 562						// ["storage.k8s.io/*": "*"]. Note that
 563						// using ["*" : "*"] matches any key and value but does not match
 564						// an empty label set.
 565						"selector"?: {
 566							// matchExpressions is a list of label selector requirements. The
 567							// requirements are ANDed.
 568							"matchExpressions"?: [...{
 569								// key is the label key that the selector applies to.
 570								"key"!: string
 571
 572								// operator represents a key's relationship to a set of values.
 573								// Valid operators are In, NotIn, Exists and DoesNotExist.
 574								"operator"!: string
 575
 576								// values is an array of string values. If the operator is In or
 577								// NotIn,
 578								// the values array must be non-empty. If the operator is Exists
 579								// or DoesNotExist,
 580								// the values array must be empty. This array is replaced during a
 581								// strategic
 582								// merge patch.
 583								"values"?: [...string]
 584							}]
 585
 586							// matchLabels is a map of {key,value} pairs. A single {key,value}
 587							// in the matchLabels
 588							// map is equivalent to an element of matchExpressions, whose key
 589							// field is "key", the
 590							// operator is "In", and the values array contains only "value".
 591							// The requirements are ANDed.
 592							"matchLabels"?: {
 593								[string]: string
 594							}
 595						}
 596					}
 597
 598					// Roles is the list of namespaced role names for the user.
 599					"roles"?: [...string]
 600
 601					// Subjects is the list of subject names like users, user groups,
 602					// and service accounts.
 603					"subjects"?: [...{
 604						// APIGroup holds the API group of the referenced subject.
 605						// Defaults to "" for ServiceAccount subjects.
 606						// Defaults to "rbac.authorization.k8s.io" for User and Group
 607						// subjects.
 608						"apiGroup"?: string
 609
 610						// Kind of object being referenced. Values defined by this API
 611						// group are "User", "Group", and "ServiceAccount".
 612						// If the Authorizer does not recognized the kind value, the
 613						// Authorizer should report an error.
 614						"kind"!: string
 615
 616						// Name of the object being referenced.
 617						"name"!: string
 618
 619						// Namespace of the referenced object. If the object kind is
 620						// non-namespace, such as "User" or "Group", and this value is
 621						// not empty
 622						// the Authorizer should report an error.
 623						"namespace"?: string
 624					}]
 625				}]
 626
 627				// ClusterRoles is the list of cluster-wide role names for the
 628				// user.
 629				"clusterRoles"?: [...string]
 630
 631				// ResourceDescription contains information about the resource
 632				// being created or modified.
 633				// Requires at least one tag to be specified when under
 634				// MatchResources.
 635				// Specifying ResourceDescription directly under match is being
 636				// deprecated.
 637				// Please specify under "any" or "all" instead.
 638				"resources"?: matchN(0, [null | bool | number | string | [...] | {
 639					"name"!:  _
 640					"names"!: _
 641				}]) & {
 642					// Annotations is a map of annotations (key-value pairs of type
 643					// string). Annotation keys
 644					// and values support the wildcard characters "*" (matches zero or
 645					// many characters) and
 646					// "?" (matches at least one character).
 647					"annotations"?: [string]: string
 648
 649					// Kinds is a list of resource kinds.
 650					"kinds"?: [...string]
 651
 652					// Name is the name of the resource. The name supports wildcard
 653					// characters
 654					// "*" (matches zero or many characters) and "?" (at least one
 655					// character).
 656					// NOTE: "Name" is being deprecated in favor of "Names".
 657					"name"?: string
 658
 659					// Names are the names of the resources. Each name supports
 660					// wildcard characters
 661					// "*" (matches zero or many characters) and "?" (at least one
 662					// character).
 663					"names"?: [...string]
 664
 665					// NamespaceSelector is a label selector for the resource
 666					// namespace. Label keys and values
 667					// in `matchLabels` support the wildcard characters `*` (matches
 668					// zero or many characters)
 669					// and `?` (matches one character).Wildcards allows writing label
 670					// selectors like
 671					// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
 672					// any key and value but
 673					// does not match an empty label set.
 674					"namespaceSelector"?: {
 675						// matchExpressions is a list of label selector requirements. The
 676						// requirements are ANDed.
 677						"matchExpressions"?: [...{
 678							// key is the label key that the selector applies to.
 679							"key"!: string
 680
 681							// operator represents a key's relationship to a set of values.
 682							// Valid operators are In, NotIn, Exists and DoesNotExist.
 683							"operator"!: string
 684
 685							// values is an array of string values. If the operator is In or
 686							// NotIn,
 687							// the values array must be non-empty. If the operator is Exists
 688							// or DoesNotExist,
 689							// the values array must be empty. This array is replaced during a
 690							// strategic
 691							// merge patch.
 692							"values"?: [...string]
 693						}]
 694
 695						// matchLabels is a map of {key,value} pairs. A single {key,value}
 696						// in the matchLabels
 697						// map is equivalent to an element of matchExpressions, whose key
 698						// field is "key", the
 699						// operator is "In", and the values array contains only "value".
 700						// The requirements are ANDed.
 701						"matchLabels"?: {
 702							[string]: string
 703						}
 704					}
 705
 706					// Namespaces is a list of namespaces names. Each name supports
 707					// wildcard characters
 708					// "*" (matches zero or many characters) and "?" (at least one
 709					// character).
 710					"namespaces"?: [...string]
 711
 712					// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
 713					// "DELETE"], which are used to match a specific action.
 714					"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
 715
 716					// Selector is a label selector. Label keys and values in
 717					// `matchLabels` support the wildcard
 718					// characters `*` (matches zero or many characters) and `?`
 719					// (matches one character).
 720					// Wildcards allows writing label selectors like
 721					// ["storage.k8s.io/*": "*"]. Note that
 722					// using ["*" : "*"] matches any key and value but does not match
 723					// an empty label set.
 724					"selector"?: {
 725						// matchExpressions is a list of label selector requirements. The
 726						// requirements are ANDed.
 727						"matchExpressions"?: [...{
 728							// key is the label key that the selector applies to.
 729							"key"!: string
 730
 731							// operator represents a key's relationship to a set of values.
 732							// Valid operators are In, NotIn, Exists and DoesNotExist.
 733							"operator"!: string
 734
 735							// values is an array of string values. If the operator is In or
 736							// NotIn,
 737							// the values array must be non-empty. If the operator is Exists
 738							// or DoesNotExist,
 739							// the values array must be empty. This array is replaced during a
 740							// strategic
 741							// merge patch.
 742							"values"?: [...string]
 743						}]
 744
 745						// matchLabels is a map of {key,value} pairs. A single {key,value}
 746						// in the matchLabels
 747						// map is equivalent to an element of matchExpressions, whose key
 748						// field is "key", the
 749						// operator is "In", and the values array contains only "value".
 750						// The requirements are ANDed.
 751						"matchLabels"?: {
 752							[string]: string
 753						}
 754					}
 755				}
 756
 757				// Roles is the list of namespaced role names for the user.
 758				"roles"?: [...string]
 759
 760				// Subjects is the list of subject names like users, user groups,
 761				// and service accounts.
 762				"subjects"?: [...{
 763					// APIGroup holds the API group of the referenced subject.
 764					// Defaults to "" for ServiceAccount subjects.
 765					// Defaults to "rbac.authorization.k8s.io" for User and Group
 766					// subjects.
 767					"apiGroup"?: string
 768
 769					// Kind of object being referenced. Values defined by this API
 770					// group are "User", "Group", and "ServiceAccount".
 771					// If the Authorizer does not recognized the kind value, the
 772					// Authorizer should report an error.
 773					"kind"!: string
 774
 775					// Name of the object being referenced.
 776					"name"!: string
 777
 778					// Namespace of the referenced object. If the object kind is
 779					// non-namespace, such as "User" or "Group", and this value is
 780					// not empty
 781					// the Authorizer should report an error.
 782					"namespace"?: string
 783				}]
 784			}
 785
 786			// Generation is used to create new resources.
 787			"generate"?: {
 788				// APIVersion specifies resource apiVersion.
 789				"apiVersion"?: string
 790
 791				// Clone specifies the source resource used to populate each
 792				// generated resource.
 793				// At most one of Data or Clone can be specified. If neither are
 794				// provided, the generated
 795				// resource will be created with default data only.
 796				"clone"?: {
 797					// Name specifies name of the resource.
 798					"name"?: string
 799
 800					// Namespace specifies source resource namespace.
 801					"namespace"?: string
 802				}
 803
 804				// CloneList specifies the list of source resource used to
 805				// populate each generated resource.
 806				"cloneList"?: {
 807					// Kinds is a list of resource kinds.
 808					"kinds"?: [...string]
 809
 810					// Namespace specifies source resource namespace.
 811					"namespace"?: string
 812
 813					// Selector is a label selector. Label keys and values in
 814					// `matchLabels`.
 815					// wildcard characters are not supported.
 816					"selector"?: {
 817						// matchExpressions is a list of label selector requirements. The
 818						// requirements are ANDed.
 819						"matchExpressions"?: [...{
 820							// key is the label key that the selector applies to.
 821							"key"!: string
 822
 823							// operator represents a key's relationship to a set of values.
 824							// Valid operators are In, NotIn, Exists and DoesNotExist.
 825							"operator"!: string
 826
 827							// values is an array of string values. If the operator is In or
 828							// NotIn,
 829							// the values array must be non-empty. If the operator is Exists
 830							// or DoesNotExist,
 831							// the values array must be empty. This array is replaced during a
 832							// strategic
 833							// merge patch.
 834							"values"?: [...string]
 835						}]
 836
 837						// matchLabels is a map of {key,value} pairs. A single {key,value}
 838						// in the matchLabels
 839						// map is equivalent to an element of matchExpressions, whose key
 840						// field is "key", the
 841						// operator is "In", and the values array contains only "value".
 842						// The requirements are ANDed.
 843						"matchLabels"?: {
 844							[string]: string
 845						}
 846					}
 847				}
 848
 849				// Data provides the resource declaration used to populate each
 850				// generated resource.
 851				// At most one of Data or Clone must be specified. If neither are
 852				// provided, the generated
 853				// resource will be created with default data only.
 854				"data"?: null | bool | number | string | [...] | {
 855					...
 856				}
 857
 858				// ForEach applies generate rules to a list of sub-elements by
 859				// creating a context for each entry in the list and looping over
 860				// it to apply the specified logic.
 861				"foreach"?: [...{
 862					// APIVersion specifies resource apiVersion.
 863					"apiVersion"?: string
 864
 865					// Clone specifies the source resource used to populate each
 866					// generated resource.
 867					// At most one of Data or Clone can be specified. If neither are
 868					// provided, the generated
 869					// resource will be created with default data only.
 870					"clone"?: {
 871						// Name specifies name of the resource.
 872						"name"?: string
 873
 874						// Namespace specifies source resource namespace.
 875						"namespace"?: string
 876					}
 877
 878					// CloneList specifies the list of source resource used to
 879					// populate each generated resource.
 880					"cloneList"?: {
 881						// Kinds is a list of resource kinds.
 882						"kinds"?: [...string]
 883
 884						// Namespace specifies source resource namespace.
 885						"namespace"?: string
 886
 887						// Selector is a label selector. Label keys and values in
 888						// `matchLabels`.
 889						// wildcard characters are not supported.
 890						"selector"?: {
 891							// matchExpressions is a list of label selector requirements. The
 892							// requirements are ANDed.
 893							"matchExpressions"?: [...{
 894								// key is the label key that the selector applies to.
 895								"key"!: string
 896
 897								// operator represents a key's relationship to a set of values.
 898								// Valid operators are In, NotIn, Exists and DoesNotExist.
 899								"operator"!: string
 900
 901								// values is an array of string values. If the operator is In or
 902								// NotIn,
 903								// the values array must be non-empty. If the operator is Exists
 904								// or DoesNotExist,
 905								// the values array must be empty. This array is replaced during a
 906								// strategic
 907								// merge patch.
 908								"values"?: [...string]
 909							}]
 910
 911							// matchLabels is a map of {key,value} pairs. A single {key,value}
 912							// in the matchLabels
 913							// map is equivalent to an element of matchExpressions, whose key
 914							// field is "key", the
 915							// operator is "In", and the values array contains only "value".
 916							// The requirements are ANDed.
 917							"matchLabels"?: {
 918								[string]: string
 919							}
 920						}
 921					}
 922
 923					// Context defines variables and data sources that can be used
 924					// during rule execution.
 925					"context"?: [...matchN(1, [{
 926						"configMap"!: _
 927					}, {
 928						"apiCall"!: _
 929					}, {
 930						"imageRegistry"!: _
 931					}, {
 932						"variable"!: _
 933					}, {
 934						"globalReference"!: _
 935					}]) & {
 936						// APICall is an HTTP request to the Kubernetes API server, or
 937						// other JSON web service.
 938						// The data returned is stored in the context with the name for
 939						// the context entry.
 940						"apiCall"?: {
 941							// The data object specifies the POST data sent to the server.
 942							// Only applicable when the method field is set to POST.
 943							"data"?: [...{
 944								// Key is a unique identifier for the data value
 945								"key"!: string
 946
 947								// Value is the data value
 948								"value"!: null | bool | number | string | [...] | {
 949									...
 950								}
 951							}]
 952
 953							// Default is an optional arbitrary JSON object that the context
 954							// value is set to, if the apiCall returns error.
 955							"default"?: null | bool | number | string | [...] | {
 956								...
 957							}
 958
 959							// JMESPath is an optional JSON Match Expression that can be used
 960							// to
 961							// transform the JSON response returned from the server. For
 962							// example
 963							// a JMESPath of "items | length(@)" applied to the API server
 964							// response
 965							// for the URLPath "/apis/apps/v1/deployments" will return the
 966							// total count
 967							// of deployments across all namespaces.
 968							"jmesPath"?: string
 969
 970							// Method is the HTTP request type (GET or POST). Defaults to GET.
 971							"method"?: "GET" | "POST"
 972
 973							// Service is an API call to a JSON web service.
 974							// This is used for non-Kubernetes API server calls.
 975							// It's mutually exclusive with the URLPath field.
 976							"service"?: {
 977								// CABundle is a PEM encoded CA bundle which will be used to
 978								// validate
 979								// the server certificate.
 980								"caBundle"?: string
 981
 982								// Headers is a list of optional HTTP headers to be included in
 983								// the request.
 984								"headers"?: [...{
 985									// Key is the header key
 986									"key"!: string
 987
 988									// Value is the header value
 989									"value"!: string
 990								}]
 991
 992								// URL is the JSON web service URL. A typical form is
 993								// `https://{service}.{namespace}:{port}/{path}`.
 994								"url"!: string
 995							}
 996
 997							// URLPath is the URL path to be used in the HTTP GET or POST
 998							// request to the
 999							// Kubernetes API server (e.g. "/api/v1/namespaces" or
1000							// "/apis/apps/v1/deployments").
1001							// The format required is the same format used by the `kubectl get
1002							// --raw` command.
1003							// See
1004							// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
1005							// for details.
1006							// It's mutually exclusive with the Service field.
1007							"urlPath"?: string
1008						}
1009
1010						// ConfigMap is the ConfigMap reference.
1011						"configMap"?: {
1012							// Name is the ConfigMap name.
1013							"name"!: string
1014
1015							// Namespace is the ConfigMap namespace.
1016							"namespace"?: string
1017						}
1018
1019						// GlobalContextEntryReference is a reference to a cached global
1020						// context entry.
1021						"globalReference"?: {
1022							// JMESPath is an optional JSON Match Expression that can be used
1023							// to
1024							// transform the JSON response returned from the server. For
1025							// example
1026							// a JMESPath of "items | length(@)" applied to the API server
1027							// response
1028							// for the URLPath "/apis/apps/v1/deployments" will return the
1029							// total count
1030							// of deployments across all namespaces.
1031							"jmesPath"?: string
1032
1033							// Name of the global context entry
1034							"name"!: string
1035						}
1036
1037						// ImageRegistry defines requests to an OCI/Docker V2 registry to
1038						// fetch image
1039						// details.
1040						"imageRegistry"?: {
1041							// ImageRegistryCredentials provides credentials that will be used
1042							// for authentication with registry
1043							"imageRegistryCredentials"?: {
1044								// AllowInsecureRegistry allows insecure access to a registry.
1045								"allowInsecureRegistry"?: bool
1046
1047								// Providers specifies a list of OCI Registry names, whose
1048								// authentication providers are provided.
1049								// It can be of one of these values:
1050								// default,google,azure,amazon,github.
1051								"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
1052
1053								// Secrets specifies a list of secrets that are provided for
1054								// credentials.
1055								// Secrets must live in the Kyverno namespace.
1056								"secrets"?: [...string]
1057							}
1058
1059							// JMESPath is an optional JSON Match Expression that can be used
1060							// to
1061							// transform the ImageData struct returned as a result of
1062							// processing
1063							// the image reference.
1064							"jmesPath"?: string
1065
1066							// Reference is image reference to a container image in the
1067							// registry.
1068							// Example: ghcr.io/kyverno/kyverno:latest
1069							"reference"!: string
1070						}
1071
1072						// Name is the variable name.
1073						"name"!: string
1074
1075						// Variable defines an arbitrary JMESPath context variable that
1076						// can be defined inline.
1077						"variable"?: {
1078							// Default is an optional arbitrary JSON object that the variable
1079							// may take if the JMESPath
1080							// expression evaluates to nil
1081							"default"?: null | bool | number | string | [...] | {
1082								...
1083							}
1084
1085							// JMESPath is an optional JMESPath Expression that can be used to
1086							// transform the variable.
1087							"jmesPath"?: string
1088
1089							// Value is any arbitrary JSON object representable in YAML or
1090							// JSON form.
1091							"value"?: null | bool | number | string | [...] | {
1092								...
1093							}
1094						}
1095					}]
1096
1097					// Data provides the resource declaration used to populate each
1098					// generated resource.
1099					// At most one of Data or Clone must be specified. If neither are
1100					// provided, the generated
1101					// resource will be created with default data only.
1102					"data"?: null | bool | number | string | [...] | {
1103						...
1104					}
1105
1106					// Kind specifies resource kind.
1107					"kind"?: string
1108
1109					// List specifies a JMESPath expression that results in one or
1110					// more elements
1111					// to which the validation logic is applied.
1112					"list"?: string
1113
1114					// Name specifies the resource name.
1115					"name"?: string
1116
1117					// Namespace specifies resource namespace.
1118					"namespace"?: string
1119
1120					// AnyAllConditions are used to determine if a policy rule should
1121					// be applied by evaluating a
1122					// set of conditions. The declaration can contain nested `any` or
1123					// `all` statements.
1124					// See: https://kyverno.io/docs/writing-policies/preconditions/
1125					"preconditions"?: {
1126						// AllConditions enable variable-based conditional rule execution.
1127						// This is useful for
1128						// finer control of when an rule is applied. A condition can
1129						// reference object data
1130						// using JMESPath notation.
1131						// Here, all of the conditions need to pass
1132						"all"?: [...{
1133							// Key is the context entry (using JMESPath) for conditional rule
1134							// evaluation.
1135							"key"?: null | bool | number | string | [...] | {
1136								...
1137							}
1138
1139							// Message is an optional display message
1140							"message"?: string
1141
1142							// Operator is the conditional operation to perform. Valid
1143							// operators are:
1144							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
1145							// GreaterThanOrEquals,
1146							// GreaterThan, LessThanOrEquals, LessThan,
1147							// DurationGreaterThanOrEquals, DurationGreaterThan,
1148							// DurationLessThanOrEquals, DurationLessThan
1149							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
1150
1151							// Value is the conditional value, or set of values. The values
1152							// can be fixed set
1153							// or can be variables declared using JMESPath.
1154							"value"?: null | bool | number | string | [...] | {
1155								...
1156							}
1157						}]
1158
1159						// AnyConditions enable variable-based conditional rule execution.
1160						// This is useful for
1161						// finer control of when an rule is applied. A condition can
1162						// reference object data
1163						// using JMESPath notation.
1164						// Here, at least one of the conditions need to pass
1165						"any"?: [...{
1166							// Key is the context entry (using JMESPath) for conditional rule
1167							// evaluation.
1168							"key"?: null | bool | number | string | [...] | {
1169								...
1170							}
1171
1172							// Message is an optional display message
1173							"message"?: string
1174
1175							// Operator is the conditional operation to perform. Valid
1176							// operators are:
1177							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
1178							// GreaterThanOrEquals,
1179							// GreaterThan, LessThanOrEquals, LessThan,
1180							// DurationGreaterThanOrEquals, DurationGreaterThan,
1181							// DurationLessThanOrEquals, DurationLessThan
1182							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
1183
1184							// Value is the conditional value, or set of values. The values
1185							// can be fixed set
1186							// or can be variables declared using JMESPath.
1187							"value"?: null | bool | number | string | [...] | {
1188								...
1189							}
1190						}]
1191						...
1192					}
1193
1194					// UID specifies the resource uid.
1195					"uid"?: string
1196				}]
1197
1198				// GenerateExisting controls whether to trigger the rule in
1199				// existing resources
1200				// If is set to "true" the rule will be triggered and applied to
1201				// existing matched resources.
1202				"generateExisting"?: bool
1203
1204				// Kind specifies resource kind.
1205				"kind"?: string
1206
1207				// Name specifies the resource name.
1208				"name"?: string
1209
1210				// Namespace specifies resource namespace.
1211				"namespace"?: string
1212
1213				// OrphanDownstreamOnPolicyDelete controls whether generated
1214				// resources should be deleted when the rule that generated
1215				// them is deleted with synchronization enabled. This option is
1216				// only applicable to generate rules of the data type.
1217				// See
1218				// https://kyverno.io/docs/writing-policies/generate/#data-examples.
1219				// Defaults to "false" if not specified.
1220				"orphanDownstreamOnPolicyDelete"?: bool
1221
1222				// Synchronize controls if generated resources should be kept
1223				// in-sync with their source resource.
1224				// If Synchronize is set to "true" changes to generated resources
1225				// will be overwritten with resource
1226				// data from Data or the resource specified in the Clone
1227				// declaration.
1228				// Optional. Defaults to "false" if not specified.
1229				"synchronize"?: bool
1230
1231				// UID specifies the resource uid.
1232				"uid"?: string
1233			}
1234
1235			// ImageExtractors defines a mapping from kinds to
1236			// ImageExtractorConfigs.
1237			// This config is only valid for verifyImages rules.
1238			"imageExtractors"?: {
1239				[string]: [...{
1240					// JMESPath is an optional JMESPath expression to apply to the
1241					// image value.
1242					// This is useful when the extracted image begins with a prefix
1243					// like 'docker://'.
1244					// The 'trim_prefix' function may be used to trim the prefix:
1245					// trim_prefix(@, 'docker://').
1246					// Note - Image digest mutation may not be used when applying a
1247					// JMESPAth to an image.
1248					"jmesPath"?: string
1249
1250					// Key is an optional name of the field within 'path' that will be
1251					// used to uniquely identify an image.
1252					// Note - this field MUST be unique.
1253					"key"?: string
1254
1255					// Name is the entry the image will be available under
1256					// 'images.<name>' in the context.
1257					// If this field is not defined, image entries will appear under
1258					// 'images.custom'.
1259					"name"?: string
1260
1261					// Path is the path to the object containing the image field in a
1262					// custom resource.
1263					// It should be slash-separated. Each slash-separated key must be
1264					// a valid YAML key or a wildcard '*'.
1265					// Wildcard keys are expanded in case of arrays or objects.
1266					"path"!: string
1267
1268					// Value is an optional name of the field within 'path' that
1269					// points to the image URI.
1270					// This is useful when a custom 'key' is also defined.
1271					"value"?: string
1272				}]
1273			}
1274
1275			// MatchResources defines when this policy rule should be applied.
1276			// The match
1277			// criteria can include resource information (e.g. kind, name,
1278			// namespace, labels)
1279			// and admission review request information like the user name or
1280			// role.
1281			// At least one kind is required.
1282			"match"!: matchN(0, [null | bool | number | string | [...] | {
1283				"any"!: _
1284				"all"!: _
1285			}]) & {
1286				// All allows specifying resources which will be ANDed
1287				"all"?: [...{
1288					// ClusterRoles is the list of cluster-wide role names for the
1289					// user.
1290					"clusterRoles"?: [...string]
1291
1292					// ResourceDescription contains information about the resource
1293					// being created or modified.
1294					"resources"?: matchN(0, [null | bool | number | string | [...] | {
1295						"name"!:  _
1296						"names"!: _
1297					}]) & {
1298						// Annotations is a map of annotations (key-value pairs of type
1299						// string). Annotation keys
1300						// and values support the wildcard characters "*" (matches zero or
1301						// many characters) and
1302						// "?" (matches at least one character).
1303						"annotations"?: [string]: string
1304
1305						// Kinds is a list of resource kinds.
1306						"kinds"?: [...string]
1307
1308						// Name is the name of the resource. The name supports wildcard
1309						// characters
1310						// "*" (matches zero or many characters) and "?" (at least one
1311						// character).
1312						// NOTE: "Name" is being deprecated in favor of "Names".
1313						"name"?: string
1314
1315						// Names are the names of the resources. Each name supports
1316						// wildcard characters
1317						// "*" (matches zero or many characters) and "?" (at least one
1318						// character).
1319						"names"?: [...string]
1320
1321						// NamespaceSelector is a label selector for the resource
1322						// namespace. Label keys and values
1323						// in `matchLabels` support the wildcard characters `*` (matches
1324						// zero or many characters)
1325						// and `?` (matches one character).Wildcards allows writing label
1326						// selectors like
1327						// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
1328						// any key and value but
1329						// does not match an empty label set.
1330						"namespaceSelector"?: {
1331							// matchExpressions is a list of label selector requirements. The
1332							// requirements are ANDed.
1333							"matchExpressions"?: [...{
1334								// key is the label key that the selector applies to.
1335								"key"!: string
1336
1337								// operator represents a key's relationship to a set of values.
1338								// Valid operators are In, NotIn, Exists and DoesNotExist.
1339								"operator"!: string
1340
1341								// values is an array of string values. If the operator is In or
1342								// NotIn,
1343								// the values array must be non-empty. If the operator is Exists
1344								// or DoesNotExist,
1345								// the values array must be empty. This array is replaced during a
1346								// strategic
1347								// merge patch.
1348								"values"?: [...string]
1349							}]
1350
1351							// matchLabels is a map of {key,value} pairs. A single {key,value}
1352							// in the matchLabels
1353							// map is equivalent to an element of matchExpressions, whose key
1354							// field is "key", the
1355							// operator is "In", and the values array contains only "value".
1356							// The requirements are ANDed.
1357							"matchLabels"?: {
1358								[string]: string
1359							}
1360						}
1361
1362						// Namespaces is a list of namespaces names. Each name supports
1363						// wildcard characters
1364						// "*" (matches zero or many characters) and "?" (at least one
1365						// character).
1366						"namespaces"?: [...string]
1367
1368						// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
1369						// "DELETE"], which are used to match a specific action.
1370						"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
1371
1372						// Selector is a label selector. Label keys and values in
1373						// `matchLabels` support the wildcard
1374						// characters `*` (matches zero or many characters) and `?`
1375						// (matches one character).
1376						// Wildcards allows writing label selectors like
1377						// ["storage.k8s.io/*": "*"]. Note that
1378						// using ["*" : "*"] matches any key and value but does not match
1379						// an empty label set.
1380						"selector"?: {
1381							// matchExpressions is a list of label selector requirements. The
1382							// requirements are ANDed.
1383							"matchExpressions"?: [...{
1384								// key is the label key that the selector applies to.
1385								"key"!: string
1386
1387								// operator represents a key's relationship to a set of values.
1388								// Valid operators are In, NotIn, Exists and DoesNotExist.
1389								"operator"!: string
1390
1391								// values is an array of string values. If the operator is In or
1392								// NotIn,
1393								// the values array must be non-empty. If the operator is Exists
1394								// or DoesNotExist,
1395								// the values array must be empty. This array is replaced during a
1396								// strategic
1397								// merge patch.
1398								"values"?: [...string]
1399							}]
1400
1401							// matchLabels is a map of {key,value} pairs. A single {key,value}
1402							// in the matchLabels
1403							// map is equivalent to an element of matchExpressions, whose key
1404							// field is "key", the
1405							// operator is "In", and the values array contains only "value".
1406							// The requirements are ANDed.
1407							"matchLabels"?: {
1408								[string]: string
1409							}
1410						}
1411					}
1412
1413					// Roles is the list of namespaced role names for the user.
1414					"roles"?: [...string]
1415
1416					// Subjects is the list of subject names like users, user groups,
1417					// and service accounts.
1418					"subjects"?: [...{
1419						// APIGroup holds the API group of the referenced subject.
1420						// Defaults to "" for ServiceAccount subjects.
1421						// Defaults to "rbac.authorization.k8s.io" for User and Group
1422						// subjects.
1423						"apiGroup"?: string
1424
1425						// Kind of object being referenced. Values defined by this API
1426						// group are "User", "Group", and "ServiceAccount".
1427						// If the Authorizer does not recognized the kind value, the
1428						// Authorizer should report an error.
1429						"kind"!: string
1430
1431						// Name of the object being referenced.
1432						"name"!: string
1433
1434						// Namespace of the referenced object. If the object kind is
1435						// non-namespace, such as "User" or "Group", and this value is
1436						// not empty
1437						// the Authorizer should report an error.
1438						"namespace"?: string
1439					}]
1440				}]
1441
1442				// Any allows specifying resources which will be ORed
1443				"any"?: [...{
1444					// ClusterRoles is the list of cluster-wide role names for the
1445					// user.
1446					"clusterRoles"?: [...string]
1447
1448					// ResourceDescription contains information about the resource
1449					// being created or modified.
1450					"resources"?: matchN(0, [null | bool | number | string | [...] | {
1451						"name"!:  _
1452						"names"!: _
1453					}]) & {
1454						// Annotations is a map of annotations (key-value pairs of type
1455						// string). Annotation keys
1456						// and values support the wildcard characters "*" (matches zero or
1457						// many characters) and
1458						// "?" (matches at least one character).
1459						"annotations"?: [string]: string
1460
1461						// Kinds is a list of resource kinds.
1462						"kinds"?: [...string]
1463
1464						// Name is the name of the resource. The name supports wildcard
1465						// characters
1466						// "*" (matches zero or many characters) and "?" (at least one
1467						// character).
1468						// NOTE: "Name" is being deprecated in favor of "Names".
1469						"name"?: string
1470
1471						// Names are the names of the resources. Each name supports
1472						// wildcard characters
1473						// "*" (matches zero or many characters) and "?" (at least one
1474						// character).
1475						"names"?: [...string]
1476
1477						// NamespaceSelector is a label selector for the resource
1478						// namespace. Label keys and values
1479						// in `matchLabels` support the wildcard characters `*` (matches
1480						// zero or many characters)
1481						// and `?` (matches one character).Wildcards allows writing label
1482						// selectors like
1483						// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
1484						// any key and value but
1485						// does not match an empty label set.
1486						"namespaceSelector"?: {
1487							// matchExpressions is a list of label selector requirements. The
1488							// requirements are ANDed.
1489							"matchExpressions"?: [...{
1490								// key is the label key that the selector applies to.
1491								"key"!: string
1492
1493								// operator represents a key's relationship to a set of values.
1494								// Valid operators are In, NotIn, Exists and DoesNotExist.
1495								"operator"!: string
1496
1497								// values is an array of string values. If the operator is In or
1498								// NotIn,
1499								// the values array must be non-empty. If the operator is Exists
1500								// or DoesNotExist,
1501								// the values array must be empty. This array is replaced during a
1502								// strategic
1503								// merge patch.
1504								"values"?: [...string]
1505							}]
1506
1507							// matchLabels is a map of {key,value} pairs. A single {key,value}
1508							// in the matchLabels
1509							// map is equivalent to an element of matchExpressions, whose key
1510							// field is "key", the
1511							// operator is "In", and the values array contains only "value".
1512							// The requirements are ANDed.
1513							"matchLabels"?: {
1514								[string]: string
1515							}
1516						}
1517
1518						// Namespaces is a list of namespaces names. Each name supports
1519						// wildcard characters
1520						// "*" (matches zero or many characters) and "?" (at least one
1521						// character).
1522						"namespaces"?: [...string]
1523
1524						// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
1525						// "DELETE"], which are used to match a specific action.
1526						"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
1527
1528						// Selector is a label selector. Label keys and values in
1529						// `matchLabels` support the wildcard
1530						// characters `*` (matches zero or many characters) and `?`
1531						// (matches one character).
1532						// Wildcards allows writing label selectors like
1533						// ["storage.k8s.io/*": "*"]. Note that
1534						// using ["*" : "*"] matches any key and value but does not match
1535						// an empty label set.
1536						"selector"?: {
1537							// matchExpressions is a list of label selector requirements. The
1538							// requirements are ANDed.
1539							"matchExpressions"?: [...{
1540								// key is the label key that the selector applies to.
1541								"key"!: string
1542
1543								// operator represents a key's relationship to a set of values.
1544								// Valid operators are In, NotIn, Exists and DoesNotExist.
1545								"operator"!: string
1546
1547								// values is an array of string values. If the operator is In or
1548								// NotIn,
1549								// the values array must be non-empty. If the operator is Exists
1550								// or DoesNotExist,
1551								// the values array must be empty. This array is replaced during a
1552								// strategic
1553								// merge patch.
1554								"values"?: [...string]
1555							}]
1556
1557							// matchLabels is a map of {key,value} pairs. A single {key,value}
1558							// in the matchLabels
1559							// map is equivalent to an element of matchExpressions, whose key
1560							// field is "key", the
1561							// operator is "In", and the values array contains only "value".
1562							// The requirements are ANDed.
1563							"matchLabels"?: {
1564								[string]: string
1565							}
1566						}
1567					}
1568
1569					// Roles is the list of namespaced role names for the user.
1570					"roles"?: [...string]
1571
1572					// Subjects is the list of subject names like users, user groups,
1573					// and service accounts.
1574					"subjects"?: [...{
1575						// APIGroup holds the API group of the referenced subject.
1576						// Defaults to "" for ServiceAccount subjects.
1577						// Defaults to "rbac.authorization.k8s.io" for User and Group
1578						// subjects.
1579						"apiGroup"?: string
1580
1581						// Kind of object being referenced. Values defined by this API
1582						// group are "User", "Group", and "ServiceAccount".
1583						// If the Authorizer does not recognized the kind value, the
1584						// Authorizer should report an error.
1585						"kind"!: string
1586
1587						// Name of the object being referenced.
1588						"name"!: string
1589
1590						// Namespace of the referenced object. If the object kind is
1591						// non-namespace, such as "User" or "Group", and this value is
1592						// not empty
1593						// the Authorizer should report an error.
1594						"namespace"?: string
1595					}]
1596				}]
1597
1598				// ClusterRoles is the list of cluster-wide role names for the
1599				// user.
1600				"clusterRoles"?: [...string]
1601
1602				// ResourceDescription contains information about the resource
1603				// being created or modified.
1604				// Requires at least one tag to be specified when under
1605				// MatchResources.
1606				// Specifying ResourceDescription directly under match is being
1607				// deprecated.
1608				// Please specify under "any" or "all" instead.
1609				"resources"?: matchN(0, [null | bool | number | string | [...] | {
1610					"name"!:  _
1611					"names"!: _
1612				}]) & {
1613					// Annotations is a map of annotations (key-value pairs of type
1614					// string). Annotation keys
1615					// and values support the wildcard characters "*" (matches zero or
1616					// many characters) and
1617					// "?" (matches at least one character).
1618					"annotations"?: [string]: string
1619
1620					// Kinds is a list of resource kinds.
1621					"kinds"?: [...string]
1622
1623					// Name is the name of the resource. The name supports wildcard
1624					// characters
1625					// "*" (matches zero or many characters) and "?" (at least one
1626					// character).
1627					// NOTE: "Name" is being deprecated in favor of "Names".
1628					"name"?: string
1629
1630					// Names are the names of the resources. Each name supports
1631					// wildcard characters
1632					// "*" (matches zero or many characters) and "?" (at least one
1633					// character).
1634					"names"?: [...string]
1635
1636					// NamespaceSelector is a label selector for the resource
1637					// namespace. Label keys and values
1638					// in `matchLabels` support the wildcard characters `*` (matches
1639					// zero or many characters)
1640					// and `?` (matches one character).Wildcards allows writing label
1641					// selectors like
1642					// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
1643					// any key and value but
1644					// does not match an empty label set.
1645					"namespaceSelector"?: {
1646						// matchExpressions is a list of label selector requirements. The
1647						// requirements are ANDed.
1648						"matchExpressions"?: [...{
1649							// key is the label key that the selector applies to.
1650							"key"!: string
1651
1652							// operator represents a key's relationship to a set of values.
1653							// Valid operators are In, NotIn, Exists and DoesNotExist.
1654							"operator"!: string
1655
1656							// values is an array of string values. If the operator is In or
1657							// NotIn,
1658							// the values array must be non-empty. If the operator is Exists
1659							// or DoesNotExist,
1660							// the values array must be empty. This array is replaced during a
1661							// strategic
1662							// merge patch.
1663							"values"?: [...string]
1664						}]
1665
1666						// matchLabels is a map of {key,value} pairs. A single {key,value}
1667						// in the matchLabels
1668						// map is equivalent to an element of matchExpressions, whose key
1669						// field is "key", the
1670						// operator is "In", and the values array contains only "value".
1671						// The requirements are ANDed.
1672						"matchLabels"?: {
1673							[string]: string
1674						}
1675					}
1676
1677					// Namespaces is a list of namespaces names. Each name supports
1678					// wildcard characters
1679					// "*" (matches zero or many characters) and "?" (at least one
1680					// character).
1681					"namespaces"?: [...string]
1682
1683					// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
1684					// "DELETE"], which are used to match a specific action.
1685					"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
1686
1687					// Selector is a label selector. Label keys and values in
1688					// `matchLabels` support the wildcard
1689					// characters `*` (matches zero or many characters) and `?`
1690					// (matches one character).
1691					// Wildcards allows writing label selectors like
1692					// ["storage.k8s.io/*": "*"]. Note that
1693					// using ["*" : "*"] matches any key and value but does not match
1694					// an empty label set.
1695					"selector"?: {
1696						// matchExpressions is a list of label selector requirements. The
1697						// requirements are ANDed.
1698						"matchExpressions"?: [...{
1699							// key is the label key that the selector applies to.
1700							"key"!: string
1701
1702							// operator represents a key's relationship to a set of values.
1703							// Valid operators are In, NotIn, Exists and DoesNotExist.
1704							"operator"!: string
1705
1706							// values is an array of string values. If the operator is In or
1707							// NotIn,
1708							// the values array must be non-empty. If the operator is Exists
1709							// or DoesNotExist,
1710							// the values array must be empty. This array is replaced during a
1711							// strategic
1712							// merge patch.
1713							"values"?: [...string]
1714						}]
1715
1716						// matchLabels is a map of {key,value} pairs. A single {key,value}
1717						// in the matchLabels
1718						// map is equivalent to an element of matchExpressions, whose key
1719						// field is "key", the
1720						// operator is "In", and the values array contains only "value".
1721						// The requirements are ANDed.
1722						"matchLabels"?: {
1723							[string]: string
1724						}
1725					}
1726				}
1727
1728				// Roles is the list of namespaced role names for the user.
1729				"roles"?: [...string]
1730
1731				// Subjects is the list of subject names like users, user groups,
1732				// and service accounts.
1733				"subjects"?: [...{
1734					// APIGroup holds the API group of the referenced subject.
1735					// Defaults to "" for ServiceAccount subjects.
1736					// Defaults to "rbac.authorization.k8s.io" for User and Group
1737					// subjects.
1738					"apiGroup"?: string
1739
1740					// Kind of object being referenced. Values defined by this API
1741					// group are "User", "Group", and "ServiceAccount".
1742					// If the Authorizer does not recognized the kind value, the
1743					// Authorizer should report an error.
1744					"kind"!: string
1745
1746					// Name of the object being referenced.
1747					"name"!: string
1748
1749					// Namespace of the referenced object. If the object kind is
1750					// non-namespace, such as "User" or "Group", and this value is
1751					// not empty
1752					// the Authorizer should report an error.
1753					"namespace"?: string
1754				}]
1755			}
1756
1757			// Mutation is used to modify matching resources.
1758			"mutate"?: {
1759				// ForEach applies mutation rules to a list of sub-elements by
1760				// creating a context for each entry in the list and looping over
1761				// it to apply the specified logic.
1762				"foreach"?: [...{
1763					// Context defines variables and data sources that can be used
1764					// during rule execution.
1765					"context"?: [...matchN(1, [{
1766						"configMap"!: _
1767					}, {
1768						"apiCall"!: _
1769					}, {
1770						"imageRegistry"!: _
1771					}, {
1772						"variable"!: _
1773					}, {
1774						"globalReference"!: _
1775					}]) & {
1776						// APICall is an HTTP request to the Kubernetes API server, or
1777						// other JSON web service.
1778						// The data returned is stored in the context with the name for
1779						// the context entry.
1780						"apiCall"?: {
1781							// The data object specifies the POST data sent to the server.
1782							// Only applicable when the method field is set to POST.
1783							"data"?: [...{
1784								// Key is a unique identifier for the data value
1785								"key"!: string
1786
1787								// Value is the data value
1788								"value"!: null | bool | number | string | [...] | {
1789									...
1790								}
1791							}]
1792
1793							// Default is an optional arbitrary JSON object that the context
1794							// value is set to, if the apiCall returns error.
1795							"default"?: null | bool | number | string | [...] | {
1796								...
1797							}
1798
1799							// JMESPath is an optional JSON Match Expression that can be used
1800							// to
1801							// transform the JSON response returned from the server. For
1802							// example
1803							// a JMESPath of "items | length(@)" applied to the API server
1804							// response
1805							// for the URLPath "/apis/apps/v1/deployments" will return the
1806							// total count
1807							// of deployments across all namespaces.
1808							"jmesPath"?: string
1809
1810							// Method is the HTTP request type (GET or POST). Defaults to GET.
1811							"method"?: "GET" | "POST"
1812
1813							// Service is an API call to a JSON web service.
1814							// This is used for non-Kubernetes API server calls.
1815							// It's mutually exclusive with the URLPath field.
1816							"service"?: {
1817								// CABundle is a PEM encoded CA bundle which will be used to
1818								// validate
1819								// the server certificate.
1820								"caBundle"?: string
1821
1822								// Headers is a list of optional HTTP headers to be included in
1823								// the request.
1824								"headers"?: [...{
1825									// Key is the header key
1826									"key"!: string
1827
1828									// Value is the header value
1829									"value"!: string
1830								}]
1831
1832								// URL is the JSON web service URL. A typical form is
1833								// `https://{service}.{namespace}:{port}/{path}`.
1834								"url"!: string
1835							}
1836
1837							// URLPath is the URL path to be used in the HTTP GET or POST
1838							// request to the
1839							// Kubernetes API server (e.g. "/api/v1/namespaces" or
1840							// "/apis/apps/v1/deployments").
1841							// The format required is the same format used by the `kubectl get
1842							// --raw` command.
1843							// See
1844							// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
1845							// for details.
1846							// It's mutually exclusive with the Service field.
1847							"urlPath"?: string
1848						}
1849
1850						// ConfigMap is the ConfigMap reference.
1851						"configMap"?: {
1852							// Name is the ConfigMap name.
1853							"name"!: string
1854
1855							// Namespace is the ConfigMap namespace.
1856							"namespace"?: string
1857						}
1858
1859						// GlobalContextEntryReference is a reference to a cached global
1860						// context entry.
1861						"globalReference"?: {
1862							// JMESPath is an optional JSON Match Expression that can be used
1863							// to
1864							// transform the JSON response returned from the server. For
1865							// example
1866							// a JMESPath of "items | length(@)" applied to the API server
1867							// response
1868							// for the URLPath "/apis/apps/v1/deployments" will return the
1869							// total count
1870							// of deployments across all namespaces.
1871							"jmesPath"?: string
1872
1873							// Name of the global context entry
1874							"name"!: string
1875						}
1876
1877						// ImageRegistry defines requests to an OCI/Docker V2 registry to
1878						// fetch image
1879						// details.
1880						"imageRegistry"?: {
1881							// ImageRegistryCredentials provides credentials that will be used
1882							// for authentication with registry
1883							"imageRegistryCredentials"?: {
1884								// AllowInsecureRegistry allows insecure access to a registry.
1885								"allowInsecureRegistry"?: bool
1886
1887								// Providers specifies a list of OCI Registry names, whose
1888								// authentication providers are provided.
1889								// It can be of one of these values:
1890								// default,google,azure,amazon,github.
1891								"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
1892
1893								// Secrets specifies a list of secrets that are provided for
1894								// credentials.
1895								// Secrets must live in the Kyverno namespace.
1896								"secrets"?: [...string]
1897							}
1898
1899							// JMESPath is an optional JSON Match Expression that can be used
1900							// to
1901							// transform the ImageData struct returned as a result of
1902							// processing
1903							// the image reference.
1904							"jmesPath"?: string
1905
1906							// Reference is image reference to a container image in the
1907							// registry.
1908							// Example: ghcr.io/kyverno/kyverno:latest
1909							"reference"!: string
1910						}
1911
1912						// Name is the variable name.
1913						"name"!: string
1914
1915						// Variable defines an arbitrary JMESPath context variable that
1916						// can be defined inline.
1917						"variable"?: {
1918							// Default is an optional arbitrary JSON object that the variable
1919							// may take if the JMESPath
1920							// expression evaluates to nil
1921							"default"?: null | bool | number | string | [...] | {
1922								...
1923							}
1924
1925							// JMESPath is an optional JMESPath Expression that can be used to
1926							// transform the variable.
1927							"jmesPath"?: string
1928
1929							// Value is any arbitrary JSON object representable in YAML or
1930							// JSON form.
1931							"value"?: null | bool | number | string | [...] | {
1932								...
1933							}
1934						}
1935					}]
1936
1937					// Foreach declares a nested foreach iterator
1938					"foreach"?: null | bool | number | string | [...] | {
1939						...
1940					}
1941
1942					// List specifies a JMESPath expression that results in one or
1943					// more elements
1944					// to which the validation logic is applied.
1945					"list"?: string
1946
1947					// Order defines the iteration order on the list.
1948					// Can be Ascending to iterate from first to last element or
1949					// Descending to iterate in from last to first element.
1950					"order"?: "Ascending" | "Descending"
1951
1952					// PatchStrategicMerge is a strategic merge patch used to modify
1953					// resources.
1954					// See
1955					// https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
1956					// and
1957					// https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
1958					"patchStrategicMerge"?: null | bool | number | string | [...] | {
1959						...
1960					}
1961
1962					// PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
1963					// used to modify resources.
1964					// See https://tools.ietf.org/html/rfc6902 and
1965					// https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
1966					"patchesJson6902"?: string
1967
1968					// AnyAllConditions are used to determine if a policy rule should
1969					// be applied by evaluating a
1970					// set of conditions. The declaration can contain nested `any` or
1971					// `all` statements.
1972					// See: https://kyverno.io/docs/writing-policies/preconditions/
1973					"preconditions"?: {
1974						// AllConditions enable variable-based conditional rule execution.
1975						// This is useful for
1976						// finer control of when an rule is applied. A condition can
1977						// reference object data
1978						// using JMESPath notation.
1979						// Here, all of the conditions need to pass
1980						"all"?: [...{
1981							// Key is the context entry (using JMESPath) for conditional rule
1982							// evaluation.
1983							"key"?: null | bool | number | string | [...] | {
1984								...
1985							}
1986
1987							// Message is an optional display message
1988							"message"?: string
1989
1990							// Operator is the conditional operation to perform. Valid
1991							// operators are:
1992							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
1993							// GreaterThanOrEquals,
1994							// GreaterThan, LessThanOrEquals, LessThan,
1995							// DurationGreaterThanOrEquals, DurationGreaterThan,
1996							// DurationLessThanOrEquals, DurationLessThan
1997							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
1998
1999							// Value is the conditional value, or set of values. The values
2000							// can be fixed set
2001							// or can be variables declared using JMESPath.
2002							"value"?: null | bool | number | string | [...] | {
2003								...
2004							}
2005						}]
2006
2007						// AnyConditions enable variable-based conditional rule execution.
2008						// This is useful for
2009						// finer control of when an rule is applied. A condition can
2010						// reference object data
2011						// using JMESPath notation.
2012						// Here, at least one of the conditions need to pass
2013						"any"?: [...{
2014							// Key is the context entry (using JMESPath) for conditional rule
2015							// evaluation.
2016							"key"?: null | bool | number | string | [...] | {
2017								...
2018							}
2019
2020							// Message is an optional display message
2021							"message"?: string
2022
2023							// Operator is the conditional operation to perform. Valid
2024							// operators are:
2025							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2026							// GreaterThanOrEquals,
2027							// GreaterThan, LessThanOrEquals, LessThan,
2028							// DurationGreaterThanOrEquals, DurationGreaterThan,
2029							// DurationLessThanOrEquals, DurationLessThan
2030							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2031
2032							// Value is the conditional value, or set of values. The values
2033							// can be fixed set
2034							// or can be variables declared using JMESPath.
2035							"value"?: null | bool | number | string | [...] | {
2036								...
2037							}
2038						}]
2039						...
2040					}
2041				}]
2042
2043				// MutateExistingOnPolicyUpdate controls if the mutateExisting
2044				// rule will be applied on policy events.
2045				"mutateExistingOnPolicyUpdate"?: bool
2046
2047				// PatchStrategicMerge is a strategic merge patch used to modify
2048				// resources.
2049				// See
2050				// https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
2051				// and
2052				// https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
2053				"patchStrategicMerge"?: null | bool | number | string | [...] | {
2054					...
2055				}
2056
2057				// PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
2058				// used to modify resources.
2059				// See https://tools.ietf.org/html/rfc6902 and
2060				// https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
2061				"patchesJson6902"?: string
2062
2063				// Targets defines the target resources to be mutated.
2064				"targets"?: [...{
2065					// APIVersion specifies resource apiVersion.
2066					"apiVersion"?: string
2067
2068					// Context defines variables and data sources that can be used
2069					// during rule execution.
2070					"context"?: [...matchN(1, [{
2071						"configMap"!: _
2072					}, {
2073						"apiCall"!: _
2074					}, {
2075						"imageRegistry"!: _
2076					}, {
2077						"variable"!: _
2078					}, {
2079						"globalReference"!: _
2080					}]) & {
2081						// APICall is an HTTP request to the Kubernetes API server, or
2082						// other JSON web service.
2083						// The data returned is stored in the context with the name for
2084						// the context entry.
2085						"apiCall"?: {
2086							// The data object specifies the POST data sent to the server.
2087							// Only applicable when the method field is set to POST.
2088							"data"?: [...{
2089								// Key is a unique identifier for the data value
2090								"key"!: string
2091
2092								// Value is the data value
2093								"value"!: null | bool | number | string | [...] | {
2094									...
2095								}
2096							}]
2097
2098							// Default is an optional arbitrary JSON object that the context
2099							// value is set to, if the apiCall returns error.
2100							"default"?: null | bool | number | string | [...] | {
2101								...
2102							}
2103
2104							// JMESPath is an optional JSON Match Expression that can be used
2105							// to
2106							// transform the JSON response returned from the server. For
2107							// example
2108							// a JMESPath of "items | length(@)" applied to the API server
2109							// response
2110							// for the URLPath "/apis/apps/v1/deployments" will return the
2111							// total count
2112							// of deployments across all namespaces.
2113							"jmesPath"?: string
2114
2115							// Method is the HTTP request type (GET or POST). Defaults to GET.
2116							"method"?: "GET" | "POST"
2117
2118							// Service is an API call to a JSON web service.
2119							// This is used for non-Kubernetes API server calls.
2120							// It's mutually exclusive with the URLPath field.
2121							"service"?: {
2122								// CABundle is a PEM encoded CA bundle which will be used to
2123								// validate
2124								// the server certificate.
2125								"caBundle"?: string
2126
2127								// Headers is a list of optional HTTP headers to be included in
2128								// the request.
2129								"headers"?: [...{
2130									// Key is the header key
2131									"key"!: string
2132
2133									// Value is the header value
2134									"value"!: string
2135								}]
2136
2137								// URL is the JSON web service URL. A typical form is
2138								// `https://{service}.{namespace}:{port}/{path}`.
2139								"url"!: string
2140							}
2141
2142							// URLPath is the URL path to be used in the HTTP GET or POST
2143							// request to the
2144							// Kubernetes API server (e.g. "/api/v1/namespaces" or
2145							// "/apis/apps/v1/deployments").
2146							// The format required is the same format used by the `kubectl get
2147							// --raw` command.
2148							// See
2149							// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
2150							// for details.
2151							// It's mutually exclusive with the Service field.
2152							"urlPath"?: string
2153						}
2154
2155						// ConfigMap is the ConfigMap reference.
2156						"configMap"?: {
2157							// Name is the ConfigMap name.
2158							"name"!: string
2159
2160							// Namespace is the ConfigMap namespace.
2161							"namespace"?: string
2162						}
2163
2164						// GlobalContextEntryReference is a reference to a cached global
2165						// context entry.
2166						"globalReference"?: {
2167							// JMESPath is an optional JSON Match Expression that can be used
2168							// to
2169							// transform the JSON response returned from the server. For
2170							// example
2171							// a JMESPath of "items | length(@)" applied to the API server
2172							// response
2173							// for the URLPath "/apis/apps/v1/deployments" will return the
2174							// total count
2175							// of deployments across all namespaces.
2176							"jmesPath"?: string
2177
2178							// Name of the global context entry
2179							"name"!: string
2180						}
2181
2182						// ImageRegistry defines requests to an OCI/Docker V2 registry to
2183						// fetch image
2184						// details.
2185						"imageRegistry"?: {
2186							// ImageRegistryCredentials provides credentials that will be used
2187							// for authentication with registry
2188							"imageRegistryCredentials"?: {
2189								// AllowInsecureRegistry allows insecure access to a registry.
2190								"allowInsecureRegistry"?: bool
2191
2192								// Providers specifies a list of OCI Registry names, whose
2193								// authentication providers are provided.
2194								// It can be of one of these values:
2195								// default,google,azure,amazon,github.
2196								"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
2197
2198								// Secrets specifies a list of secrets that are provided for
2199								// credentials.
2200								// Secrets must live in the Kyverno namespace.
2201								"secrets"?: [...string]
2202							}
2203
2204							// JMESPath is an optional JSON Match Expression that can be used
2205							// to
2206							// transform the ImageData struct returned as a result of
2207							// processing
2208							// the image reference.
2209							"jmesPath"?: string
2210
2211							// Reference is image reference to a container image in the
2212							// registry.
2213							// Example: ghcr.io/kyverno/kyverno:latest
2214							"reference"!: string
2215						}
2216
2217						// Name is the variable name.
2218						"name"!: string
2219
2220						// Variable defines an arbitrary JMESPath context variable that
2221						// can be defined inline.
2222						"variable"?: {
2223							// Default is an optional arbitrary JSON object that the variable
2224							// may take if the JMESPath
2225							// expression evaluates to nil
2226							"default"?: null | bool | number | string | [...] | {
2227								...
2228							}
2229
2230							// JMESPath is an optional JMESPath Expression that can be used to
2231							// transform the variable.
2232							"jmesPath"?: string
2233
2234							// Value is any arbitrary JSON object representable in YAML or
2235							// JSON form.
2236							"value"?: null | bool | number | string | [...] | {
2237								...
2238							}
2239						}
2240					}]
2241
2242					// Kind specifies resource kind.
2243					"kind"?: string
2244
2245					// Name specifies the resource name.
2246					"name"?: string
2247
2248					// Namespace specifies resource namespace.
2249					"namespace"?: string
2250
2251					// Preconditions are used to determine if a policy rule should be
2252					// applied by evaluating a
2253					// set of conditions. The declaration can contain nested `any` or
2254					// `all` statements. A direct list
2255					// of conditions (without `any` or `all` statements is supported
2256					// for backwards compatibility but
2257					// will be deprecated in the next major release.
2258					// See: https://kyverno.io/docs/writing-policies/preconditions/
2259					"preconditions"?: null | bool | number | string | [...] | {
2260						...
2261					}
2262
2263					// Selector allows you to select target resources with their
2264					// labels.
2265					"selector"?: {
2266						// matchExpressions is a list of label selector requirements. The
2267						// requirements are ANDed.
2268						"matchExpressions"?: [...{
2269							// key is the label key that the selector applies to.
2270							"key"!: string
2271
2272							// operator represents a key's relationship to a set of values.
2273							// Valid operators are In, NotIn, Exists and DoesNotExist.
2274							"operator"!: string
2275
2276							// values is an array of string values. If the operator is In or
2277							// NotIn,
2278							// the values array must be non-empty. If the operator is Exists
2279							// or DoesNotExist,
2280							// the values array must be empty. This array is replaced during a
2281							// strategic
2282							// merge patch.
2283							"values"?: [...string]
2284						}]
2285
2286						// matchLabels is a map of {key,value} pairs. A single {key,value}
2287						// in the matchLabels
2288						// map is equivalent to an element of matchExpressions, whose key
2289						// field is "key", the
2290						// operator is "In", and the values array contains only "value".
2291						// The requirements are ANDed.
2292						"matchLabels"?: {
2293							[string]: string
2294						}
2295					}
2296
2297					// UID specifies the resource uid.
2298					"uid"?: string
2299				}]
2300			}
2301
2302			// Name is a label to identify the rule, It must be unique within
2303			// the policy.
2304			"name"!: strings.MaxRunes(
2305					63)
2306
2307			// Preconditions are used to determine if a policy rule should be
2308			// applied by evaluating a
2309			// set of conditions. The declaration can contain nested `any` or
2310			// `all` statements. A direct list
2311			// of conditions (without `any` or `all` statements is supported
2312			// for backwards compatibility but
2313			// will be deprecated in the next major release.
2314			// See: https://kyverno.io/docs/writing-policies/preconditions/
2315			"preconditions"?: null | bool | number | string | [...] | {
2316				...
2317			}
2318
2319			// ReportProperties are the additional properties from the rule
2320			// that will be added to the policy report result
2321			"reportProperties"?: {
2322				[string]: string
2323			}
2324
2325			// SkipBackgroundRequests bypasses admission requests that are
2326			// sent by the background controller.
2327			// The default value is set to "true", it must be set to "false"
2328			// to apply
2329			// generate and mutateExisting rules to those requests.
2330			"skipBackgroundRequests"?: bool
2331
2332			// Validation is used to validate matching resources.
2333			"validate"?: {
2334				// AllowExistingViolations allows prexisting violating resources
2335				// to continue violating a policy.
2336				"allowExistingViolations"?: bool
2337
2338				// AnyPattern specifies list of validation patterns. At least one
2339				// of the patterns
2340				// must be satisfied for the validation rule to succeed.
2341				"anyPattern"?: null | bool | number | string | [...] | {
2342					...
2343				}
2344
2345				// Assert defines a kyverno-json assertion tree.
2346				"assert"?: {
2347					...
2348				}
2349
2350				// CEL allows validation checks using the Common Expression
2351				// Language
2352				// (https://kubernetes.io/docs/reference/using-api/cel/).
2353				"cel"?: {
2354					// AuditAnnotations contains CEL expressions which are used to
2355					// produce audit annotations for the audit event of the API
2356					// request.
2357					"auditAnnotations"?: [...{
2358						// key specifies the audit annotation key. The audit annotation
2359						// keys of
2360						// a ValidatingAdmissionPolicy must be unique. The key must be a
2361						// qualified
2362						// name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in
2363						// length.
2364						//
2365						// The key is combined with the resource name of the
2366						// ValidatingAdmissionPolicy to construct an audit annotation key:
2367						// "{ValidatingAdmissionPolicy name}/{key}".
2368						//
2369						// If an admission webhook uses the same resource name as this
2370						// ValidatingAdmissionPolicy
2371						// and the same audit annotation key, the annotation key will be
2372						// identical.
2373						// In this case, the first annotation written with the key will be
2374						// included
2375						// in the audit event and all subsequent annotations with the same
2376						// key
2377						// will be discarded.
2378						//
2379						// Required.
2380						"key"!: string
2381
2382						// valueExpression represents the expression which is evaluated by
2383						// CEL to
2384						// produce an audit annotation value. The expression must evaluate
2385						// to either
2386						// a string or null value. If the expression evaluates to a
2387						// string, the
2388						// audit annotation is included with the string value. If the
2389						// expression
2390						// evaluates to null or empty string the audit annotation will be
2391						// omitted.
2392						// The valueExpression may be no longer than 5kb in length.
2393						// If the result of the valueExpression is more than 10kb in
2394						// length, it
2395						// will be truncated to 10kb.
2396						//
2397						// If multiple ValidatingAdmissionPolicyBinding resources match an
2398						// API request, then the valueExpression will be evaluated for
2399						// each binding. All unique values produced by the
2400						// valueExpressions
2401						// will be joined together in a comma-separated list.
2402						//
2403						// Required.
2404						"valueExpression"!: string
2405					}]
2406
2407					// Expressions is a list of CELExpression types.
2408					"expressions"?: [...{
2409						// Expression represents the expression which will be evaluated by
2410						// CEL.
2411						// ref: https://github.com/google/cel-spec
2412						// CEL expressions have access to the contents of the API
2413						// request/response, organized into CEL variables as well as some
2414						// other useful variables:
2415						//
2416						// - 'object' - The object from the incoming request. The value is
2417						// null for DELETE requests.
2418						// - 'oldObject' - The existing object. The value is null for
2419						// CREATE requests.
2420						// - 'request' - Attributes of the API
2421						// request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
2422						// - 'params' - Parameter resource referred to by the policy
2423						// binding being evaluated. Only populated if the policy has a
2424						// ParamKind.
2425						// - 'namespaceObject' - The namespace object that the incoming
2426						// object belongs to. The value is null for cluster-scoped
2427						// resources.
2428						// - 'variables' - Map of composited variables, from its name to
2429						// its lazily evaluated value.
2430						// For example, a variable named 'foo' can be accessed as
2431						// 'variables.foo'.
2432						// - 'authorizer' - A CEL Authorizer. May be used to perform
2433						// authorization checks for the principal (user or service
2434						// account) of the request.
2435						// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
2436						// - 'authorizer.requestResource' - A CEL ResourceCheck
2437						// constructed from the 'authorizer' and configured with the
2438						// request resource.
2439						//
2440						// The `apiVersion`, `kind`, `metadata.name` and
2441						// `metadata.generateName` are always accessible from the root of
2442						// the
2443						// object. No other metadata properties are accessible.
2444						//
2445						// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
2446						// are accessible.
2447						// Accessible property names are escaped according to the
2448						// following rules when accessed in the expression:
2449						// - '__' escapes to '__underscores__'
2450						// - '.' escapes to '__dot__'
2451						// - '-' escapes to '__dash__'
2452						// - '/' escapes to '__slash__'
2453						// - Property names that exactly match a CEL RESERVED keyword
2454						// escape to '__{keyword}__'. The keywords are:
2455						// "true", "false", "null", "in", "as", "break", "const",
2456						// "continue", "else", "for", "function", "if",
2457						// "import", "let", "loop", "package", "namespace", "return".
2458						// Examples:
2459						// - Expression accessing a property named "namespace":
2460						// {"Expression": "object.__namespace__ > 0"}
2461						// - Expression accessing a property named "x-prop":
2462						// {"Expression": "object.x__dash__prop > 0"}
2463						// - Expression accessing a property named "redact__d":
2464						// {"Expression": "object.redact__underscores__d > 0"}
2465						//
2466						// Equality on arrays with list type of 'set' or 'map' ignores
2467						// element order, i.e. [1, 2] == [2, 1].
2468						// Concatenation on arrays with x-kubernetes-list-type use the
2469						// semantics of the list type:
2470						// - 'set': `X + Y` performs a union where the array positions of
2471						// all elements in `X` are preserved and
2472						// non-intersecting elements in `Y` are appended, retaining their
2473						// partial order.
2474						// - 'map': `X + Y` performs a merge where the array positions of
2475						// all keys in `X` are preserved but the values
2476						// are overwritten by values in `Y` when the key sets of `X` and
2477						// `Y` intersect. Elements in `Y` with
2478						// non-intersecting keys are appended, retaining their partial
2479						// order.
2480						// Required.
2481						"expression"!: string
2482
2483						// Message represents the message displayed when validation fails.
2484						// The message is required if the Expression contains
2485						// line breaks. The message must not contain line breaks.
2486						// If unset, the message is "failed rule: {Rule}".
2487						// e.g. "must be a URL with the host matching spec.host"
2488						// If the Expression contains line breaks. Message is required.
2489						// The message must not contain line breaks.
2490						// If unset, the message is "failed Expression: {Expression}".
2491						"message"?: string
2492
2493						// messageExpression declares a CEL expression that evaluates to
2494						// the validation failure message that is returned when this rule
2495						// fails.
2496						// Since messageExpression is used as a failure message, it must
2497						// evaluate to a string.
2498						// If both message and messageExpression are present on a
2499						// validation, then messageExpression will be used if validation
2500						// fails.
2501						// If messageExpression results in a runtime error, the runtime
2502						// error is logged, and the validation failure message is
2503						// produced
2504						// as if the messageExpression field were unset. If
2505						// messageExpression evaluates to an empty string, a string with
2506						// only spaces, or a string
2507						// that contains line breaks, then the validation failure message
2508						// will also be produced as if the messageExpression field were
2509						// unset, and
2510						// the fact that messageExpression produced an empty string/string
2511						// with only spaces/string with line breaks will be logged.
2512						// messageExpression has access to all the same variables as the
2513						// `expression` except for 'authorizer' and
2514						// 'authorizer.requestResource'.
2515						// Example:
2516						// "object.x must be less than max ("+string(params.max)+")"
2517						"messageExpression"?: string
2518
2519						// Reason represents a machine-readable description of why this
2520						// validation failed.
2521						// If this is the first validation in the list to fail, this
2522						// reason, as well as the
2523						// corresponding HTTP response code, are used in the
2524						// HTTP response to the client.
2525						// The currently supported reasons are: "Unauthorized",
2526						// "Forbidden", "Invalid", "RequestEntityTooLarge".
2527						// If not set, StatusReasonInvalid is used in the response to the
2528						// client.
2529						"reason"?: string
2530					}]
2531
2532					// ParamKind is a tuple of Group Kind and Version.
2533					"paramKind"?: {
2534						// APIVersion is the API group version the resources belong to.
2535						// In format of "group/version".
2536						// Required.
2537						"apiVersion"?: string
2538
2539						// Kind is the API kind the resources belong to.
2540						// Required.
2541						"kind"?: string
2542					}
2543
2544					// ParamRef references a parameter resource.
2545					"paramRef"?: {
2546						// name is the name of the resource being referenced.
2547						//
2548						// One of `name` or `selector` must be set, but `name` and
2549						// `selector` are
2550						// mutually exclusive properties. If one is set, the other must be
2551						// unset.
2552						//
2553						// A single parameter used for all admission requests can be
2554						// configured
2555						// by setting the `name` field, leaving `selector` blank, and
2556						// setting namespace
2557						// if `paramKind` is namespace-scoped.
2558						"name"?: string
2559
2560						// namespace is the namespace of the referenced resource. Allows
2561						// limiting
2562						// the search for params to a specific namespace. Applies to both
2563						// `name` and
2564						// `selector` fields.
2565						//
2566						// A per-namespace parameter may be used by specifying a
2567						// namespace-scoped
2568						// `paramKind` in the policy and leaving this field empty.
2569						//
2570						// - If `paramKind` is cluster-scoped, this field MUST be unset.
2571						// Setting this
2572						// field results in a configuration error.
2573						//
2574						// - If `paramKind` is namespace-scoped, the namespace of the
2575						// object being
2576						// evaluated for admission will be used when this field is left
2577						// unset. Take
2578						// care that if this is left empty the binding must not match any
2579						// cluster-scoped
2580						// resources, which will result in an error.
2581						"namespace"?: string
2582
2583						// `parameterNotFoundAction` controls the behavior of the binding
2584						// when the resource
2585						// exists, and name or selector is valid, but there are no
2586						// parameters
2587						// matched by the binding. If the value is set to `Allow`, then no
2588						// matched parameters will be treated as successful validation by
2589						// the binding.
2590						// If set to `Deny`, then no matched parameters will be subject to
2591						// the
2592						// `failurePolicy` of the policy.
2593						//
2594						// Allowed values are `Allow` or `Deny`
2595						//
2596						// Required
2597						"parameterNotFoundAction"?: string
2598
2599						// selector can be used to match multiple param objects based on
2600						// their labels.
2601						// Supply selector: {} to match all resources of the ParamKind.
2602						//
2603						// If multiple params are found, they are all evaluated with the
2604						// policy expressions
2605						// and the results are ANDed together.
2606						//
2607						// One of `name` or `selector` must be set, but `name` and
2608						// `selector` are
2609						// mutually exclusive properties. If one is set, the other must be
2610						// unset.
2611						"selector"?: {
2612							// matchExpressions is a list of label selector requirements. The
2613							// requirements are ANDed.
2614							"matchExpressions"?: [...{
2615								// key is the label key that the selector applies to.
2616								"key"!: string
2617
2618								// operator represents a key's relationship to a set of values.
2619								// Valid operators are In, NotIn, Exists and DoesNotExist.
2620								"operator"!: string
2621
2622								// values is an array of string values. If the operator is In or
2623								// NotIn,
2624								// the values array must be non-empty. If the operator is Exists
2625								// or DoesNotExist,
2626								// the values array must be empty. This array is replaced during a
2627								// strategic
2628								// merge patch.
2629								"values"?: [...string]
2630							}]
2631
2632							// matchLabels is a map of {key,value} pairs. A single {key,value}
2633							// in the matchLabels
2634							// map is equivalent to an element of matchExpressions, whose key
2635							// field is "key", the
2636							// operator is "In", and the values array contains only "value".
2637							// The requirements are ANDed.
2638							"matchLabels"?: {
2639								[string]: string
2640							}
2641						}
2642					}
2643
2644					// Variables contain definitions of variables that can be used in
2645					// composition of other expressions.
2646					// Each variable is defined as a named CEL expression.
2647					// The variables defined here will be available under `variables`
2648					// in other expressions of the policy.
2649					"variables"?: [...{
2650						// Expression is the expression that will be evaluated as the
2651						// value of the variable.
2652						// The CEL expression has access to the same identifiers as the
2653						// CEL expressions in Validation.
2654						"expression"!: string
2655
2656						// Name is the name of the variable. The name must be a valid CEL
2657						// identifier and unique among all variables.
2658						// The variable can be accessed in other expressions through
2659						// `variables`
2660						// For example, if name is "foo", the variable will be available
2661						// as `variables.foo`
2662						"name"!: string
2663					}]
2664				}
2665
2666				// Deny defines conditions used to pass or fail a validation rule.
2667				"deny"?: {
2668					// Multiple conditions can be declared under an `any` or `all`
2669					// statement. A direct list
2670					// of conditions (without `any` or `all` statements) is also
2671					// supported for backwards compatibility
2672					// but will be deprecated in the next major release.
2673					// See:
2674					// https://kyverno.io/docs/writing-policies/validate/#deny-rules
2675					"conditions"?: null | bool | number | string | [...] | {
2676						...
2677					}
2678				}
2679
2680				// FailureAction defines if a validation policy rule violation
2681				// should block
2682				// the admission review request (Enforce), or allow (Audit) the
2683				// admission review request
2684				// and report an error in a policy report. Optional.
2685				// Allowed values are Audit or Enforce.
2686				"failureAction"?: "Audit" | "Enforce"
2687
2688				// FailureActionOverrides is a Cluster Policy attribute that
2689				// specifies FailureAction
2690				// namespace-wise. It overrides FailureAction for the specified
2691				// namespaces.
2692				"failureActionOverrides"?: [...{
2693					// ValidationFailureAction defines the policy validation failure
2694					// action
2695					"action"?: "audit" | "enforce" | "Audit" | "Enforce"
2696
2697					// A label selector is a label query over a set of resources. The
2698					// result of matchLabels and
2699					// matchExpressions are ANDed. An empty label selector matches all
2700					// objects. A null
2701					// label selector matches no objects.
2702					"namespaceSelector"?: {
2703						// matchExpressions is a list of label selector requirements. The
2704						// requirements are ANDed.
2705						"matchExpressions"?: [...{
2706							// key is the label key that the selector applies to.
2707							"key"!: string
2708
2709							// operator represents a key's relationship to a set of values.
2710							// Valid operators are In, NotIn, Exists and DoesNotExist.
2711							"operator"!: string
2712
2713							// values is an array of string values. If the operator is In or
2714							// NotIn,
2715							// the values array must be non-empty. If the operator is Exists
2716							// or DoesNotExist,
2717							// the values array must be empty. This array is replaced during a
2718							// strategic
2719							// merge patch.
2720							"values"?: [...string]
2721						}]
2722
2723						// matchLabels is a map of {key,value} pairs. A single {key,value}
2724						// in the matchLabels
2725						// map is equivalent to an element of matchExpressions, whose key
2726						// field is "key", the
2727						// operator is "In", and the values array contains only "value".
2728						// The requirements are ANDed.
2729						"matchLabels"?: {
2730							[string]: string
2731						}
2732					}
2733					"namespaces"?: [...string]
2734				}]
2735
2736				// ForEach applies validate rules to a list of sub-elements by
2737				// creating a context for each entry in the list and looping over
2738				// it to apply the specified logic.
2739				"foreach"?: [...{
2740					// AnyPattern specifies list of validation patterns. At least one
2741					// of the patterns
2742					// must be satisfied for the validation rule to succeed.
2743					"anyPattern"?: null | bool | number | string | [...] | {
2744						...
2745					}
2746
2747					// Context defines variables and data sources that can be used
2748					// during rule execution.
2749					"context"?: [...matchN(1, [{
2750						"configMap"!: _
2751					}, {
2752						"apiCall"!: _
2753					}, {
2754						"imageRegistry"!: _
2755					}, {
2756						"variable"!: _
2757					}, {
2758						"globalReference"!: _
2759					}]) & {
2760						// APICall is an HTTP request to the Kubernetes API server, or
2761						// other JSON web service.
2762						// The data returned is stored in the context with the name for
2763						// the context entry.
2764						"apiCall"?: {
2765							// The data object specifies the POST data sent to the server.
2766							// Only applicable when the method field is set to POST.
2767							"data"?: [...{
2768								// Key is a unique identifier for the data value
2769								"key"!: string
2770
2771								// Value is the data value
2772								"value"!: null | bool | number | string | [...] | {
2773									...
2774								}
2775							}]
2776
2777							// Default is an optional arbitrary JSON object that the context
2778							// value is set to, if the apiCall returns error.
2779							"default"?: null | bool | number | string | [...] | {
2780								...
2781							}
2782
2783							// JMESPath is an optional JSON Match Expression that can be used
2784							// to
2785							// transform the JSON response returned from the server. For
2786							// example
2787							// a JMESPath of "items | length(@)" applied to the API server
2788							// response
2789							// for the URLPath "/apis/apps/v1/deployments" will return the
2790							// total count
2791							// of deployments across all namespaces.
2792							"jmesPath"?: string
2793
2794							// Method is the HTTP request type (GET or POST). Defaults to GET.
2795							"method"?: "GET" | "POST"
2796
2797							// Service is an API call to a JSON web service.
2798							// This is used for non-Kubernetes API server calls.
2799							// It's mutually exclusive with the URLPath field.
2800							"service"?: {
2801								// CABundle is a PEM encoded CA bundle which will be used to
2802								// validate
2803								// the server certificate.
2804								"caBundle"?: string
2805
2806								// Headers is a list of optional HTTP headers to be included in
2807								// the request.
2808								"headers"?: [...{
2809									// Key is the header key
2810									"key"!: string
2811
2812									// Value is the header value
2813									"value"!: string
2814								}]
2815
2816								// URL is the JSON web service URL. A typical form is
2817								// `https://{service}.{namespace}:{port}/{path}`.
2818								"url"!: string
2819							}
2820
2821							// URLPath is the URL path to be used in the HTTP GET or POST
2822							// request to the
2823							// Kubernetes API server (e.g. "/api/v1/namespaces" or
2824							// "/apis/apps/v1/deployments").
2825							// The format required is the same format used by the `kubectl get
2826							// --raw` command.
2827							// See
2828							// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
2829							// for details.
2830							// It's mutually exclusive with the Service field.
2831							"urlPath"?: string
2832						}
2833
2834						// ConfigMap is the ConfigMap reference.
2835						"configMap"?: {
2836							// Name is the ConfigMap name.
2837							"name"!: string
2838
2839							// Namespace is the ConfigMap namespace.
2840							"namespace"?: string
2841						}
2842
2843						// GlobalContextEntryReference is a reference to a cached global
2844						// context entry.
2845						"globalReference"?: {
2846							// JMESPath is an optional JSON Match Expression that can be used
2847							// to
2848							// transform the JSON response returned from the server. For
2849							// example
2850							// a JMESPath of "items | length(@)" applied to the API server
2851							// response
2852							// for the URLPath "/apis/apps/v1/deployments" will return the
2853							// total count
2854							// of deployments across all namespaces.
2855							"jmesPath"?: string
2856
2857							// Name of the global context entry
2858							"name"!: string
2859						}
2860
2861						// ImageRegistry defines requests to an OCI/Docker V2 registry to
2862						// fetch image
2863						// details.
2864						"imageRegistry"?: {
2865							// ImageRegistryCredentials provides credentials that will be used
2866							// for authentication with registry
2867							"imageRegistryCredentials"?: {
2868								// AllowInsecureRegistry allows insecure access to a registry.
2869								"allowInsecureRegistry"?: bool
2870
2871								// Providers specifies a list of OCI Registry names, whose
2872								// authentication providers are provided.
2873								// It can be of one of these values:
2874								// default,google,azure,amazon,github.
2875								"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
2876
2877								// Secrets specifies a list of secrets that are provided for
2878								// credentials.
2879								// Secrets must live in the Kyverno namespace.
2880								"secrets"?: [...string]
2881							}
2882
2883							// JMESPath is an optional JSON Match Expression that can be used
2884							// to
2885							// transform the ImageData struct returned as a result of
2886							// processing
2887							// the image reference.
2888							"jmesPath"?: string
2889
2890							// Reference is image reference to a container image in the
2891							// registry.
2892							// Example: ghcr.io/kyverno/kyverno:latest
2893							"reference"!: string
2894						}
2895
2896						// Name is the variable name.
2897						"name"!: string
2898
2899						// Variable defines an arbitrary JMESPath context variable that
2900						// can be defined inline.
2901						"variable"?: {
2902							// Default is an optional arbitrary JSON object that the variable
2903							// may take if the JMESPath
2904							// expression evaluates to nil
2905							"default"?: null | bool | number | string | [...] | {
2906								...
2907							}
2908
2909							// JMESPath is an optional JMESPath Expression that can be used to
2910							// transform the variable.
2911							"jmesPath"?: string
2912
2913							// Value is any arbitrary JSON object representable in YAML or
2914							// JSON form.
2915							"value"?: null | bool | number | string | [...] | {
2916								...
2917							}
2918						}
2919					}]
2920
2921					// Deny defines conditions used to pass or fail a validation rule.
2922					"deny"?: {
2923						// Multiple conditions can be declared under an `any` or `all`
2924						// statement. A direct list
2925						// of conditions (without `any` or `all` statements) is also
2926						// supported for backwards compatibility
2927						// but will be deprecated in the next major release.
2928						// See:
2929						// https://kyverno.io/docs/writing-policies/validate/#deny-rules
2930						"conditions"?: null | bool | number | string | [...] | {
2931							...
2932						}
2933					}
2934
2935					// ElementScope specifies whether to use the current list element
2936					// as the scope for validation. Defaults to "true" if not
2937					// specified.
2938					// When set to "false", "request.object" is used as the validation
2939					// scope within the foreach
2940					// block to allow referencing other elements in the subtree.
2941					"elementScope"?: bool
2942
2943					// Foreach declares a nested foreach iterator
2944					"foreach"?: null | bool | number | string | [...] | {
2945						...
2946					}
2947
2948					// List specifies a JMESPath expression that results in one or
2949					// more elements
2950					// to which the validation logic is applied.
2951					"list"?: string
2952
2953					// Pattern specifies an overlay-style pattern used to check
2954					// resources.
2955					"pattern"?: null | bool | number | string | [...] | {
2956						...
2957					}
2958
2959					// AnyAllConditions are used to determine if a policy rule should
2960					// be applied by evaluating a
2961					// set of conditions. The declaration can contain nested `any` or
2962					// `all` statements.
2963					// See: https://kyverno.io/docs/writing-policies/preconditions/
2964					"preconditions"?: {
2965						// AllConditions enable variable-based conditional rule execution.
2966						// This is useful for
2967						// finer control of when an rule is applied. A condition can
2968						// reference object data
2969						// using JMESPath notation.
2970						// Here, all of the conditions need to pass
2971						"all"?: [...{
2972							// Key is the context entry (using JMESPath) for conditional rule
2973							// evaluation.
2974							"key"?: null | bool | number | string | [...] | {
2975								...
2976							}
2977
2978							// Message is an optional display message
2979							"message"?: string
2980
2981							// Operator is the conditional operation to perform. Valid
2982							// operators are:
2983							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2984							// GreaterThanOrEquals,
2985							// GreaterThan, LessThanOrEquals, LessThan,
2986							// DurationGreaterThanOrEquals, DurationGreaterThan,
2987							// DurationLessThanOrEquals, DurationLessThan
2988							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2989
2990							// Value is the conditional value, or set of values. The values
2991							// can be fixed set
2992							// or can be variables declared using JMESPath.
2993							"value"?: null | bool | number | string | [...] | {
2994								...
2995							}
2996						}]
2997
2998						// AnyConditions enable variable-based conditional rule execution.
2999						// This is useful for
3000						// finer control of when an rule is applied. A condition can
3001						// reference object data
3002						// using JMESPath notation.
3003						// Here, at least one of the conditions need to pass
3004						"any"?: [...{
3005							// Key is the context entry (using JMESPath) for conditional rule
3006							// evaluation.
3007							"key"?: null | bool | number | string | [...] | {
3008								...
3009							}
3010
3011							// Message is an optional display message
3012							"message"?: string
3013
3014							// Operator is the conditional operation to perform. Valid
3015							// operators are:
3016							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
3017							// GreaterThanOrEquals,
3018							// GreaterThan, LessThanOrEquals, LessThan,
3019							// DurationGreaterThanOrEquals, DurationGreaterThan,
3020							// DurationLessThanOrEquals, DurationLessThan
3021							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
3022
3023							// Value is the conditional value, or set of values. The values
3024							// can be fixed set
3025							// or can be variables declared using JMESPath.
3026							"value"?: null | bool | number | string | [...] | {
3027								...
3028							}
3029						}]
3030						...
3031					}
3032				}]
3033
3034				// Manifest specifies conditions for manifest verification
3035				"manifests"?: {
3036					// AnnotationDomain is custom domain of annotation for message and
3037					// signature. Default is "cosign.sigstore.dev".
3038					"annotationDomain"?: string
3039
3040					// Attestors specified the required attestors (i.e. authorities)
3041					"attestors"?: [...{
3042						// Count specifies the required number of entries that must match.
3043						// If the count is null, all entries must match
3044						// (a logical AND). If the count is 1, at least one entry must
3045						// match (a logical OR). If the count contains a
3046						// value N, then N must be less than or equal to the size of
3047						// entries, and at least N entries must match.
3048						"count"?: int & >=1
3049
3050						// Entries contains the available attestors. An attestor can be a
3051						// static key,
3052						// attributes for keyless verification, or a nested attestor
3053						// declaration.
3054						"entries"?: [...{
3055							// Annotations are used for image verification.
3056							// Every specified key-value pair must exist and match in the
3057							// verified payload.
3058							// The payload may contain other key-value pairs.
3059							"annotations"?: [string]: string
3060
3061							// Attestor is a nested set of Attestor used to specify a more
3062							// complex set of match authorities.
3063							"attestor"?: null | bool | number | string | [...] | {
3064								...
3065							}
3066
3067							// Certificates specifies one or more certificates.
3068							"certificates"?: {
3069								// Cert is an optional PEM-encoded public certificate.
3070								"cert"?: string
3071
3072								// CertChain is an optional PEM encoded set of certificates used
3073								// to verify.
3074								"certChain"?: string
3075
3076								// CTLog (certificate timestamp log) provides a configuration for
3077								// validation of Signed Certificate
3078								// Timestamps (SCTs). If the value is unset, the default behavior
3079								// by Cosign is used.
3080								"ctlog"?: {
3081									// IgnoreSCT defines whether to use the Signed Certificate
3082									// Timestamp (SCT) log to check for a certificate
3083									// timestamp. Default is false. Set to true if this was opted out
3084									// during signing.
3085									"ignoreSCT"?: bool
3086
3087									// PubKey, if set, is used to validate SCTs against a custom
3088									// source.
3089									"pubkey"?: string
3090
3091									// TSACertChain, if set, is the PEM-encoded certificate chain file
3092									// for the RFC3161 timestamp authority. Must
3093									// contain the root CA certificate. Optionally may contain
3094									// intermediate CA certificates, and
3095									// may contain the leaf TSA certificate if not present in the
3096									// timestamurce.
3097									"tsaCertChain"?: string
3098								}
3099
3100								// Rekor provides configuration for the Rekor transparency log
3101								// service. If an empty object
3102								// is provided the public instance of Rekor
3103								// (https://rekor.sigstore.dev) is used.
3104								"rekor"?: {
3105									// IgnoreTlog skips transparency log verification.
3106									"ignoreTlog"?: bool
3107
3108									// RekorPubKey is an optional PEM-encoded public key to use for a
3109									// custom Rekor.
3110									// If set, this will be used to validate transparency log
3111									// signatures from a custom Rekor.
3112									"pubkey"?: string
3113
3114									// URL is the address of the transparency log. Defaults to the
3115									// public Rekor log instance https://rekor.sigstore.dev.
3116									"url"?: string
3117								}
3118							}
3119
3120							// Keyless is a set of attribute used to verify a Sigstore keyless
3121							// attestor.
3122							// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
3123							"keyless"?: {
3124								// AdditionalExtensions are certificate-extensions used for
3125								// keyless signing.
3126								"additionalExtensions"?: [string]: string
3127
3128								// CTLog (certificate timestamp log) provides a configuration for
3129								// validation of Signed Certificate
3130								// Timestamps (SCTs). If the value is unset, the default behavior
3131								// by Cosign is used.
3132								"ctlog"?: {
3133									// IgnoreSCT defines whether to use the Signed Certificate
3134									// Timestamp (SCT) log to check for a certificate
3135									// timestamp. Default is false. Set to true if this was opted out
3136									// during signing.
3137									"ignoreSCT"?: bool
3138
3139									// PubKey, if set, is used to validate SCTs against a custom
3140									// source.
3141									"pubkey"?: string
3142
3143									// TSACertChain, if set, is the PEM-encoded certificate chain file
3144									// for the RFC3161 timestamp authority. Must
3145									// contain the root CA certificate. Optionally may contain
3146									// intermediate CA certificates, and
3147									// may contain the leaf TSA certificate if not present in the
3148									// timestamurce.
3149									"tsaCertChain"?: string
3150								}
3151
3152								// Issuer is the certificate issuer used for keyless signing.
3153								"issuer"?: string
3154
3155								// IssuerRegExp is the regular expression to match certificate
3156								// issuer used for keyless signing.
3157								"issuerRegExp"?: string
3158
3159								// Rekor provides configuration for the Rekor transparency log
3160								// service. If an empty object
3161								// is provided the public instance of Rekor
3162								// (https://rekor.sigstore.dev) is used.
3163								"rekor"?: {
3164									// IgnoreTlog skips transparency log verification.
3165									"ignoreTlog"?: bool
3166
3167									// RekorPubKey is an optional PEM-encoded public key to use for a
3168									// custom Rekor.
3169									// If set, this will be used to validate transparency log
3170									// signatures from a custom Rekor.
3171									"pubkey"?: string
3172
3173									// URL is the address of the transparency log. Defaults to the
3174									// public Rekor log instance https://rekor.sigstore.dev.
3175									"url"?: string
3176								}
3177
3178								// Roots is an optional set of PEM encoded trusted root
3179								// certificates.
3180								// If not provided, the system roots are used.
3181								"roots"?: string
3182
3183								// Subject is the verified identity used for keyless signing, for
3184								// example the email address.
3185								"subject"?: string
3186
3187								// SubjectRegExp is the regular expression to match identity used
3188								// for keyless signing, for example the email address.
3189								"subjectRegExp"?: string
3190							}
3191
3192							// Keys specifies one or more public keys.
3193							"keys"?: {
3194								// CTLog (certificate timestamp log) provides a configuration for
3195								// validation of Signed Certificate
3196								// Timestamps (SCTs). If the value is unset, the default behavior
3197								// by Cosign is used.
3198								"ctlog"?: {
3199									// IgnoreSCT defines whether to use the Signed Certificate
3200									// Timestamp (SCT) log to check for a certificate
3201									// timestamp. Default is false. Set to true if this was opted out
3202									// during signing.
3203									"ignoreSCT"?: bool
3204
3205									// PubKey, if set, is used to validate SCTs against a custom
3206									// source.
3207									"pubkey"?: string
3208
3209									// TSACertChain, if set, is the PEM-encoded certificate chain file
3210									// for the RFC3161 timestamp authority. Must
3211									// contain the root CA certificate. Optionally may contain
3212									// intermediate CA certificates, and
3213									// may contain the leaf TSA certificate if not present in the
3214									// timestamurce.
3215									"tsaCertChain"?: string
3216								}
3217
3218								// KMS provides the URI to the public key stored in a Key
3219								// Management System. See:
3220								// https://github.com/sigstore/cosign/blob/main/KMS.md
3221								"kms"?: string
3222
3223								// Keys is a set of X.509 public keys used to verify image
3224								// signatures. The keys can be directly
3225								// specified or can be a variable reference to a key specified in
3226								// a ConfigMap (see
3227								// https://kyverno.io/docs/writing-policies/variables/), or
3228								// reference a standard Kubernetes Secret
3229								// elsewhere in the cluster by specifying it in the format
3230								// "k8s://<namespace>/<secret_name>".
3231								// The named Secret must specify a key `cosign.pub` containing the
3232								// public key used for
3233								// verification, (see
3234								// https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
3235								// When multiple keys are specified each key is processed as a
3236								// separate staticKey entry
3237								// (.attestors[*].entries.keys) within the set of attestors and
3238								// the count is applied across the keys.
3239								"publicKeys"?: string
3240
3241								// Rekor provides configuration for the Rekor transparency log
3242								// service. If an empty object
3243								// is provided the public instance of Rekor
3244								// (https://rekor.sigstore.dev) is used.
3245								"rekor"?: {
3246									// IgnoreTlog skips transparency log verification.
3247									"ignoreTlog"?: bool
3248
3249									// RekorPubKey is an optional PEM-encoded public key to use for a
3250									// custom Rekor.
3251									// If set, this will be used to validate transparency log
3252									// signatures from a custom Rekor.
3253									"pubkey"?: string
3254
3255									// URL is the address of the transparency log. Defaults to the
3256									// public Rekor log instance https://rekor.sigstore.dev.
3257									"url"?: string
3258								}
3259
3260								// Reference to a Secret resource that contains a public key
3261								"secret"?: {
3262									// Name of the secret. The provided secret must contain a key
3263									// named cosign.pub.
3264									"name"!: string
3265
3266									// Namespace name where the Secret exists.
3267									"namespace"!: string
3268								}
3269
3270								// Deprecated. Use attestor.signatureAlgorithm instead.
3271								"signatureAlgorithm"?: string
3272							}
3273
3274							// Repository is an optional alternate OCI repository to use for
3275							// signatures and attestations that match this rule.
3276							// If specified Repository will override other OCI image
3277							// repository locations for this Attestor.
3278							"repository"?: string
3279
3280							// Specify signature algorithm for public keys. Supported values
3281							// are sha224, sha256, sha384 and sha512.
3282							"signatureAlgorithm"?: string
3283						}]
3284					}]
3285
3286					// DryRun configuration
3287					"dryRun"?: {
3288						"enable"?:    bool
3289						"namespace"?: string
3290					}
3291
3292					// Fields which will be ignored while comparing manifests.
3293					"ignoreFields"?: [...{
3294						"fields"?: [...string]
3295						"objects"?: [...{
3296							"group"?:     string
3297							"kind"?:      string
3298							"name"?:      string
3299							"namespace"?: string
3300							"version"?:   string
3301						}]
3302					}]
3303
3304					// Repository is an optional alternate OCI repository to use for
3305					// resource bundle reference.
3306					// The repository can be overridden per Attestor or Attestation.
3307					"repository"?: string
3308				}
3309
3310				// Message specifies a custom message to be displayed on failure.
3311				"message"?: string
3312
3313				// Pattern specifies an overlay-style pattern used to check
3314				// resources.
3315				"pattern"?: null | bool | number | string | [...] | {
3316					...
3317				}
3318
3319				// PodSecurity applies exemptions for Kubernetes Pod Security
3320				// admission
3321				// by specifying exclusions for Pod Security Standards controls.
3322				"podSecurity"?: {
3323					// Exclude specifies the Pod Security Standard controls to be
3324					// excluded.
3325					"exclude"?: [...{
3326						// ControlName specifies the name of the Pod Security Standard
3327						// control.
3328						// See:
3329						// https://kubernetes.io/docs/concepts/security/pod-security-standards/
3330						"controlName"!: "HostProcess" | "Host Namespaces" | "Privileged Containers" | "Capabilities" | "HostPath Volumes" | "Host Ports" | "AppArmor" | "SELinux" | "/proc Mount Type" | "Seccomp" | "Sysctls" | "Volume Types" | "Privilege Escalation" | "Running as Non-root" | "Running as Non-root user"
3331
3332						// Images selects matching containers and applies the container
3333						// level PSS.
3334						// Each image is the image name consisting of the registry
3335						// address, repository, image, and tag.
3336						// Empty list matches no containers, PSS checks are applied at the
3337						// pod level only.
3338						// Wildcards ('*' and '?') are allowed. See:
3339						// https://kubernetes.io/docs/concepts/containers/images.
3340						"images"?: [...string]
3341
3342						// RestrictedField selects the field for the given Pod Security
3343						// Standard control.
3344						// When not set, all restricted fields for the control are
3345						// selected.
3346						"restrictedField"?: string
3347
3348						// Values defines the allowed values that can be excluded.
3349						"values"?: [...string]
3350					}]
3351
3352					// Level defines the Pod Security Standard level to be applied to
3353					// workloads.
3354					// Allowed values are privileged, baseline, and restricted.
3355					"level"?: "privileged" | "baseline" | "restricted"
3356
3357					// Version defines the Pod Security Standard versions that
3358					// Kubernetes supports.
3359					// Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
3360					// v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
3361					"version"?: "v1.19" | "v1.20" | "v1.21" | "v1.22" | "v1.23" | "v1.24" | "v1.25" | "v1.26" | "v1.27" | "v1.28" | "v1.29" | "latest"
3362				}
3363			}
3364
3365			// VerifyImages is used to verify image signatures and mutate them
3366			// to add a digest
3367			"verifyImages"?: [...{
3368				// Deprecated.
3369				"additionalExtensions"?: [string]: string
3370
3371				// Deprecated. Use annotations per Attestor instead.
3372				"annotations"?: {
3373					[string]: string
3374				}
3375
3376				// Attestations are optional checks for signed in-toto Statements
3377				// used to verify the image.
3378				// See https://github.com/in-toto/attestation. Kyverno fetches
3379				// signed attestations from the
3380				// OCI registry and decodes them into a list of Statement
3381				// declarations.
3382				"attestations"?: [...{
3383					// Attestors specify the required attestors (i.e. authorities).
3384					"attestors"?: [...{
3385						// Count specifies the required number of entries that must match.
3386						// If the count is null, all entries must match
3387						// (a logical AND). If the count is 1, at least one entry must
3388						// match (a logical OR). If the count contains a
3389						// value N, then N must be less than or equal to the size of
3390						// entries, and at least N entries must match.
3391						"count"?: int & >=1
3392
3393						// Entries contains the available attestors. An attestor can be a
3394						// static key,
3395						// attributes for keyless verification, or a nested attestor
3396						// declaration.
3397						"entries"?: [...{
3398							// Annotations are used for image verification.
3399							// Every specified key-value pair must exist and match in the
3400							// verified payload.
3401							// The payload may contain other key-value pairs.
3402							"annotations"?: [string]: string
3403
3404							// Attestor is a nested set of Attestor used to specify a more
3405							// complex set of match authorities.
3406							"attestor"?: null | bool | number | string | [...] | {
3407								...
3408							}
3409
3410							// Certificates specifies one or more certificates.
3411							"certificates"?: {
3412								// Cert is an optional PEM-encoded public certificate.
3413								"cert"?: string
3414
3415								// CertChain is an optional PEM encoded set of certificates used
3416								// to verify.
3417								"certChain"?: string
3418
3419								// CTLog (certificate timestamp log) provides a configuration for
3420								// validation of Signed Certificate
3421								// Timestamps (SCTs). If the value is unset, the default behavior
3422								// by Cosign is used.
3423								"ctlog"?: {
3424									// IgnoreSCT defines whether to use the Signed Certificate
3425									// Timestamp (SCT) log to check for a certificate
3426									// timestamp. Default is false. Set to true if this was opted out
3427									// during signing.
3428									"ignoreSCT"?: bool
3429
3430									// PubKey, if set, is used to validate SCTs against a custom
3431									// source.
3432									"pubkey"?: string
3433
3434									// TSACertChain, if set, is the PEM-encoded certificate chain file
3435									// for the RFC3161 timestamp authority. Must
3436									// contain the root CA certificate. Optionally may contain
3437									// intermediate CA certificates, and
3438									// may contain the leaf TSA certificate if not present in the
3439									// timestamurce.
3440									"tsaCertChain"?: string
3441								}
3442
3443								// Rekor provides configuration for the Rekor transparency log
3444								// service. If an empty object
3445								// is provided the public instance of Rekor
3446								// (https://rekor.sigstore.dev) is used.
3447								"rekor"?: {
3448									// IgnoreTlog skips transparency log verification.
3449									"ignoreTlog"?: bool
3450
3451									// RekorPubKey is an optional PEM-encoded public key to use for a
3452									// custom Rekor.
3453									// If set, this will be used to validate transparency log
3454									// signatures from a custom Rekor.
3455									"pubkey"?: string
3456
3457									// URL is the address of the transparency log. Defaults to the
3458									// public Rekor log instance https://rekor.sigstore.dev.
3459									"url"?: string
3460								}
3461							}
3462
3463							// Keyless is a set of attribute used to verify a Sigstore keyless
3464							// attestor.
3465							// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
3466							"keyless"?: {
3467								// AdditionalExtensions are certificate-extensions used for
3468								// keyless signing.
3469								"additionalExtensions"?: [string]: string
3470
3471								// CTLog (certificate timestamp log) provides a configuration for
3472								// validation of Signed Certificate
3473								// Timestamps (SCTs). If the value is unset, the default behavior
3474								// by Cosign is used.
3475								"ctlog"?: {
3476									// IgnoreSCT defines whether to use the Signed Certificate
3477									// Timestamp (SCT) log to check for a certificate
3478									// timestamp. Default is false. Set to true if this was opted out
3479									// during signing.
3480									"ignoreSCT"?: bool
3481
3482									// PubKey, if set, is used to validate SCTs against a custom
3483									// source.
3484									"pubkey"?: string
3485
3486									// TSACertChain, if set, is the PEM-encoded certificate chain file
3487									// for the RFC3161 timestamp authority. Must
3488									// contain the root CA certificate. Optionally may contain
3489									// intermediate CA certificates, and
3490									// may contain the leaf TSA certificate if not present in the
3491									// timestamurce.
3492									"tsaCertChain"?: string
3493								}
3494
3495								// Issuer is the certificate issuer used for keyless signing.
3496								"issuer"?: string
3497
3498								// IssuerRegExp is the regular expression to match certificate
3499								// issuer used for keyless signing.
3500								"issuerRegExp"?: string
3501
3502								// Rekor provides configuration for the Rekor transparency log
3503								// service. If an empty object
3504								// is provided the public instance of Rekor
3505								// (https://rekor.sigstore.dev) is used.
3506								"rekor"?: {
3507									// IgnoreTlog skips transparency log verification.
3508									"ignoreTlog"?: bool
3509
3510									// RekorPubKey is an optional PEM-encoded public key to use for a
3511									// custom Rekor.
3512									// If set, this will be used to validate transparency log
3513									// signatures from a custom Rekor.
3514									"pubkey"?: string
3515
3516									// URL is the address of the transparency log. Defaults to the
3517									// public Rekor log instance https://rekor.sigstore.dev.
3518									"url"?: string
3519								}
3520
3521								// Roots is an optional set of PEM encoded trusted root
3522								// certificates.
3523								// If not provided, the system roots are used.
3524								"roots"?: string
3525
3526								// Subject is the verified identity used for keyless signing, for
3527								// example the email address.
3528								"subject"?: string
3529
3530								// SubjectRegExp is the regular expression to match identity used
3531								// for keyless signing, for example the email address.
3532								"subjectRegExp"?: string
3533							}
3534
3535							// Keys specifies one or more public keys.
3536							"keys"?: {
3537								// CTLog (certificate timestamp log) provides a configuration for
3538								// validation of Signed Certificate
3539								// Timestamps (SCTs). If the value is unset, the default behavior
3540								// by Cosign is used.
3541								"ctlog"?: {
3542									// IgnoreSCT defines whether to use the Signed Certificate
3543									// Timestamp (SCT) log to check for a certificate
3544									// timestamp. Default is false. Set to true if this was opted out
3545									// during signing.
3546									"ignoreSCT"?: bool
3547
3548									// PubKey, if set, is used to validate SCTs against a custom
3549									// source.
3550									"pubkey"?: string
3551
3552									// TSACertChain, if set, is the PEM-encoded certificate chain file
3553									// for the RFC3161 timestamp authority. Must
3554									// contain the root CA certificate. Optionally may contain
3555									// intermediate CA certificates, and
3556									// may contain the leaf TSA certificate if not present in the
3557									// timestamurce.
3558									"tsaCertChain"?: string
3559								}
3560
3561								// KMS provides the URI to the public key stored in a Key
3562								// Management System. See:
3563								// https://github.com/sigstore/cosign/blob/main/KMS.md
3564								"kms"?: string
3565
3566								// Keys is a set of X.509 public keys used to verify image
3567								// signatures. The keys can be directly
3568								// specified or can be a variable reference to a key specified in
3569								// a ConfigMap (see
3570								// https://kyverno.io/docs/writing-policies/variables/), or
3571								// reference a standard Kubernetes Secret
3572								// elsewhere in the cluster by specifying it in the format
3573								// "k8s://<namespace>/<secret_name>".
3574								// The named Secret must specify a key `cosign.pub` containing the
3575								// public key used for
3576								// verification, (see
3577								// https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
3578								// When multiple keys are specified each key is processed as a
3579								// separate staticKey entry
3580								// (.attestors[*].entries.keys) within the set of attestors and
3581								// the count is applied across the keys.
3582								"publicKeys"?: string
3583
3584								// Rekor provides configuration for the Rekor transparency log
3585								// service. If an empty object
3586								// is provided the public instance of Rekor
3587								// (https://rekor.sigstore.dev) is used.
3588								"rekor"?: {
3589									// IgnoreTlog skips transparency log verification.
3590									"ignoreTlog"?: bool
3591
3592									// RekorPubKey is an optional PEM-encoded public key to use for a
3593									// custom Rekor.
3594									// If set, this will be used to validate transparency log
3595									// signatures from a custom Rekor.
3596									"pubkey"?: string
3597
3598									// URL is the address of the transparency log. Defaults to the
3599									// public Rekor log instance https://rekor.sigstore.dev.
3600									"url"?: string
3601								}
3602
3603								// Reference to a Secret resource that contains a public key
3604								"secret"?: {
3605									// Name of the secret. The provided secret must contain a key
3606									// named cosign.pub.
3607									"name"!: string
3608
3609									// Namespace name where the Secret exists.
3610									"namespace"!: string
3611								}
3612
3613								// Deprecated. Use attestor.signatureAlgorithm instead.
3614								"signatureAlgorithm"?: string
3615							}
3616
3617							// Repository is an optional alternate OCI repository to use for
3618							// signatures and attestations that match this rule.
3619							// If specified Repository will override other OCI image
3620							// repository locations for this Attestor.
3621							"repository"?: string
3622
3623							// Specify signature algorithm for public keys. Supported values
3624							// are sha224, sha256, sha384 and sha512.
3625							"signatureAlgorithm"?: string
3626						}]
3627					}]
3628
3629					// Conditions are used to verify attributes within a Predicate. If
3630					// no Conditions are specified
3631					// the attestation check is satisfied as long there are predicates
3632					// that match the predicate type.
3633					"conditions"?: [...{
3634						// AllConditions enable variable-based conditional rule execution.
3635						// This is useful for
3636						// finer control of when an rule is applied. A condition can
3637						// reference object data
3638						// using JMESPath notation.
3639						// Here, all of the conditions need to pass
3640						"all"?: [...{
3641							// Key is the context entry (using JMESPath) for conditional rule
3642							// evaluation.
3643							"key"?: null | bool | number | string | [...] | {
3644								...
3645							}
3646
3647							// Message is an optional display message
3648							"message"?: string
3649
3650							// Operator is the conditional operation to perform. Valid
3651							// operators are:
3652							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
3653							// GreaterThanOrEquals,
3654							// GreaterThan, LessThanOrEquals, LessThan,
3655							// DurationGreaterThanOrEquals, DurationGreaterThan,
3656							// DurationLessThanOrEquals, DurationLessThan
3657							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
3658
3659							// Value is the conditional value, or set of values. The values
3660							// can be fixed set
3661							// or can be variables declared using JMESPath.
3662							"value"?: null | bool | number | string | [...] | {
3663								...
3664							}
3665						}]
3666
3667						// AnyConditions enable variable-based conditional rule execution.
3668						// This is useful for
3669						// finer control of when an rule is applied. A condition can
3670						// reference object data
3671						// using JMESPath notation.
3672						// Here, at least one of the conditions need to pass
3673						"any"?: [...{
3674							// Key is the context entry (using JMESPath) for conditional rule
3675							// evaluation.
3676							"key"?: null | bool | number | string | [...] | {
3677								...
3678							}
3679
3680							// Message is an optional display message
3681							"message"?: string
3682
3683							// Operator is the conditional operation to perform. Valid
3684							// operators are:
3685							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
3686							// GreaterThanOrEquals,
3687							// GreaterThan, LessThanOrEquals, LessThan,
3688							// DurationGreaterThanOrEquals, DurationGreaterThan,
3689							// DurationLessThanOrEquals, DurationLessThan
3690							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
3691
3692							// Value is the conditional value, or set of values. The values
3693							// can be fixed set
3694							// or can be variables declared using JMESPath.
3695							"value"?: null | bool | number | string | [...] | {
3696								...
3697							}
3698						}]
3699					}]
3700
3701					// Name is the variable name.
3702					"name"?: string
3703
3704					// Deprecated in favour of 'Type', to be removed soon
3705					"predicateType"?: string
3706
3707					// Type defines the type of attestation contained within the
3708					// Statement.
3709					"type"?: string
3710				}]
3711
3712				// Attestors specified the required attestors (i.e. authorities)
3713				"attestors"?: [...{
3714					// Count specifies the required number of entries that must match.
3715					// If the count is null, all entries must match
3716					// (a logical AND). If the count is 1, at least one entry must
3717					// match (a logical OR). If the count contains a
3718					// value N, then N must be less than or equal to the size of
3719					// entries, and at least N entries must match.
3720					"count"?: int & >=1
3721
3722					// Entries contains the available attestors. An attestor can be a
3723					// static key,
3724					// attributes for keyless verification, or a nested attestor
3725					// declaration.
3726					"entries"?: [...{
3727						// Annotations are used for image verification.
3728						// Every specified key-value pair must exist and match in the
3729						// verified payload.
3730						// The payload may contain other key-value pairs.
3731						"annotations"?: [string]: string
3732
3733						// Attestor is a nested set of Attestor used to specify a more
3734						// complex set of match authorities.
3735						"attestor"?: null | bool | number | string | [...] | {
3736							...
3737						}
3738
3739						// Certificates specifies one or more certificates.
3740						"certificates"?: {
3741							// Cert is an optional PEM-encoded public certificate.
3742							"cert"?: string
3743
3744							// CertChain is an optional PEM encoded set of certificates used
3745							// to verify.
3746							"certChain"?: string
3747
3748							// CTLog (certificate timestamp log) provides a configuration for
3749							// validation of Signed Certificate
3750							// Timestamps (SCTs). If the value is unset, the default behavior
3751							// by Cosign is used.
3752							"ctlog"?: {
3753								// IgnoreSCT defines whether to use the Signed Certificate
3754								// Timestamp (SCT) log to check for a certificate
3755								// timestamp. Default is false. Set to true if this was opted out
3756								// during signing.
3757								"ignoreSCT"?: bool
3758
3759								// PubKey, if set, is used to validate SCTs against a custom
3760								// source.
3761								"pubkey"?: string
3762
3763								// TSACertChain, if set, is the PEM-encoded certificate chain file
3764								// for the RFC3161 timestamp authority. Must
3765								// contain the root CA certificate. Optionally may contain
3766								// intermediate CA certificates, and
3767								// may contain the leaf TSA certificate if not present in the
3768								// timestamurce.
3769								"tsaCertChain"?: string
3770							}
3771
3772							// Rekor provides configuration for the Rekor transparency log
3773							// service. If an empty object
3774							// is provided the public instance of Rekor
3775							// (https://rekor.sigstore.dev) is used.
3776							"rekor"?: {
3777								// IgnoreTlog skips transparency log verification.
3778								"ignoreTlog"?: bool
3779
3780								// RekorPubKey is an optional PEM-encoded public key to use for a
3781								// custom Rekor.
3782								// If set, this will be used to validate transparency log
3783								// signatures from a custom Rekor.
3784								"pubkey"?: string
3785
3786								// URL is the address of the transparency log. Defaults to the
3787								// public Rekor log instance https://rekor.sigstore.dev.
3788								"url"?: string
3789							}
3790						}
3791
3792						// Keyless is a set of attribute used to verify a Sigstore keyless
3793						// attestor.
3794						// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
3795						"keyless"?: {
3796							// AdditionalExtensions are certificate-extensions used for
3797							// keyless signing.
3798							"additionalExtensions"?: [string]: string
3799
3800							// CTLog (certificate timestamp log) provides a configuration for
3801							// validation of Signed Certificate
3802							// Timestamps (SCTs). If the value is unset, the default behavior
3803							// by Cosign is used.
3804							"ctlog"?: {
3805								// IgnoreSCT defines whether to use the Signed Certificate
3806								// Timestamp (SCT) log to check for a certificate
3807								// timestamp. Default is false. Set to true if this was opted out
3808								// during signing.
3809								"ignoreSCT"?: bool
3810
3811								// PubKey, if set, is used to validate SCTs against a custom
3812								// source.
3813								"pubkey"?: string
3814
3815								// TSACertChain, if set, is the PEM-encoded certificate chain file
3816								// for the RFC3161 timestamp authority. Must
3817								// contain the root CA certificate. Optionally may contain
3818								// intermediate CA certificates, and
3819								// may contain the leaf TSA certificate if not present in the
3820								// timestamurce.
3821								"tsaCertChain"?: string
3822							}
3823
3824							// Issuer is the certificate issuer used for keyless signing.
3825							"issuer"?: string
3826
3827							// IssuerRegExp is the regular expression to match certificate
3828							// issuer used for keyless signing.
3829							"issuerRegExp"?: string
3830
3831							// Rekor provides configuration for the Rekor transparency log
3832							// service. If an empty object
3833							// is provided the public instance of Rekor
3834							// (https://rekor.sigstore.dev) is used.
3835							"rekor"?: {
3836								// IgnoreTlog skips transparency log verification.
3837								"ignoreTlog"?: bool
3838
3839								// RekorPubKey is an optional PEM-encoded public key to use for a
3840								// custom Rekor.
3841								// If set, this will be used to validate transparency log
3842								// signatures from a custom Rekor.
3843								"pubkey"?: string
3844
3845								// URL is the address of the transparency log. Defaults to the
3846								// public Rekor log instance https://rekor.sigstore.dev.
3847								"url"?: string
3848							}
3849
3850							// Roots is an optional set of PEM encoded trusted root
3851							// certificates.
3852							// If not provided, the system roots are used.
3853							"roots"?: string
3854
3855							// Subject is the verified identity used for keyless signing, for
3856							// example the email address.
3857							"subject"?: string
3858
3859							// SubjectRegExp is the regular expression to match identity used
3860							// for keyless signing, for example the email address.
3861							"subjectRegExp"?: string
3862						}
3863
3864						// Keys specifies one or more public keys.
3865						"keys"?: {
3866							// CTLog (certificate timestamp log) provides a configuration for
3867							// validation of Signed Certificate
3868							// Timestamps (SCTs). If the value is unset, the default behavior
3869							// by Cosign is used.
3870							"ctlog"?: {
3871								// IgnoreSCT defines whether to use the Signed Certificate
3872								// Timestamp (SCT) log to check for a certificate
3873								// timestamp. Default is false. Set to true if this was opted out
3874								// during signing.
3875								"ignoreSCT"?: bool
3876
3877								// PubKey, if set, is used to validate SCTs against a custom
3878								// source.
3879								"pubkey"?: string
3880
3881								// TSACertChain, if set, is the PEM-encoded certificate chain file
3882								// for the RFC3161 timestamp authority. Must
3883								// contain the root CA certificate. Optionally may contain
3884								// intermediate CA certificates, and
3885								// may contain the leaf TSA certificate if not present in the
3886								// timestamurce.
3887								"tsaCertChain"?: string
3888							}
3889
3890							// KMS provides the URI to the public key stored in a Key
3891							// Management System. See:
3892							// https://github.com/sigstore/cosign/blob/main/KMS.md
3893							"kms"?: string
3894
3895							// Keys is a set of X.509 public keys used to verify image
3896							// signatures. The keys can be directly
3897							// specified or can be a variable reference to a key specified in
3898							// a ConfigMap (see
3899							// https://kyverno.io/docs/writing-policies/variables/), or
3900							// reference a standard Kubernetes Secret
3901							// elsewhere in the cluster by specifying it in the format
3902							// "k8s://<namespace>/<secret_name>".
3903							// The named Secret must specify a key `cosign.pub` containing the
3904							// public key used for
3905							// verification, (see
3906							// https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
3907							// When multiple keys are specified each key is processed as a
3908							// separate staticKey entry
3909							// (.attestors[*].entries.keys) within the set of attestors and
3910							// the count is applied across the keys.
3911							"publicKeys"?: string
3912
3913							// Rekor provides configuration for the Rekor transparency log
3914							// service. If an empty object
3915							// is provided the public instance of Rekor
3916							// (https://rekor.sigstore.dev) is used.
3917							"rekor"?: {
3918								// IgnoreTlog skips transparency log verification.
3919								"ignoreTlog"?: bool
3920
3921								// RekorPubKey is an optional PEM-encoded public key to use for a
3922								// custom Rekor.
3923								// If set, this will be used to validate transparency log
3924								// signatures from a custom Rekor.
3925								"pubkey"?: string
3926
3927								// URL is the address of the transparency log. Defaults to the
3928								// public Rekor log instance https://rekor.sigstore.dev.
3929								"url"?: string
3930							}
3931
3932							// Reference to a Secret resource that contains a public key
3933							"secret"?: {
3934								// Name of the secret. The provided secret must contain a key
3935								// named cosign.pub.
3936								"name"!: string
3937
3938								// Namespace name where the Secret exists.
3939								"namespace"!: string
3940							}
3941
3942							// Deprecated. Use attestor.signatureAlgorithm instead.
3943							"signatureAlgorithm"?: string
3944						}
3945
3946						// Repository is an optional alternate OCI repository to use for
3947						// signatures and attestations that match this rule.
3948						// If specified Repository will override other OCI image
3949						// repository locations for this Attestor.
3950						"repository"?: string
3951
3952						// Specify signature algorithm for public keys. Supported values
3953						// are sha224, sha256, sha384 and sha512.
3954						"signatureAlgorithm"?: string
3955					}]
3956				}]
3957
3958				// CosignOCI11 enables the experimental OCI 1.1 behaviour in
3959				// cosign image verification.
3960				// Defaults to false.
3961				"cosignOCI11"?: bool
3962
3963				// Allowed values are Audit or Enforce.
3964				"failureAction"?: "Audit" | "Enforce"
3965
3966				// Deprecated. Use ImageReferences instead.
3967				"image"?: string
3968
3969				// ImageReferences is a list of matching image reference patterns.
3970				// At least one pattern in the
3971				// list must match the image for the rule to apply. Each image
3972				// reference consists of a registry
3973				// address (defaults to docker.io), repository, image, and tag
3974				// (defaults to latest).
3975				// Wildcards ('*' and '?') are allowed. See:
3976				// https://kubernetes.io/docs/concepts/containers/images.
3977				"imageReferences"?: [...string]
3978
3979				// ImageRegistryCredentials provides credentials that will be used
3980				// for authentication with registry.
3981				"imageRegistryCredentials"?: {
3982					// AllowInsecureRegistry allows insecure access to a registry.
3983					"allowInsecureRegistry"?: bool
3984
3985					// Providers specifies a list of OCI Registry names, whose
3986					// authentication providers are provided.
3987					// It can be of one of these values:
3988					// default,google,azure,amazon,github.
3989					"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
3990
3991					// Secrets specifies a list of secrets that are provided for
3992					// credentials.
3993					// Secrets must live in the Kyverno namespace.
3994					"secrets"?: [...string]
3995				}
3996
3997				// Deprecated. Use KeylessAttestor instead.
3998				"issuer"?: string
3999
4000				// Deprecated. Use StaticKeyAttestor instead.
4001				"key"?: string
4002
4003				// MutateDigest enables replacement of image tags with digests.
4004				// Defaults to true.
4005				"mutateDigest"?: bool
4006
4007				// Repository is an optional alternate OCI repository to use for
4008				// image signatures and attestations that match this rule.
4009				// If specified Repository will override the default OCI image
4010				// repository configured for the installation.
4011				// The repository can also be overridden per Attestor or
4012				// Attestation.
4013				"repository"?: string
4014
4015				// Required validates that images are verified i.e. have matched
4016				// passed a signature or attestation check.
4017				"required"?: bool
4018
4019				// Deprecated. Use KeylessAttestor instead.
4020				"roots"?: string
4021
4022				// SkipImageReferences is a list of matching image reference
4023				// patterns that should be skipped.
4024				// At least one pattern in the list must match the image for the
4025				// rule to be skipped. Each image reference
4026				// consists of a registry address (defaults to docker.io),
4027				// repository, image, and tag (defaults to latest).
4028				// Wildcards ('*' and '?') are allowed. See:
4029				// https://kubernetes.io/docs/concepts/containers/images.
4030				"skipImageReferences"?: [...string]
4031
4032				// Deprecated. Use KeylessAttestor instead.
4033				"subject"?: string
4034
4035				// Type specifies the method of signature validation. The allowed
4036				// options
4037				// are Cosign, Sigstore Bundle and Notary. By default Cosign is
4038				// used if a type is not specified.
4039				"type"?: "Cosign" | "SigstoreBundle" | "Notary"
4040
4041				// UseCache enables caching of image verify responses for this
4042				// rule.
4043				"useCache"?: bool
4044
4045				// Validation checks conditions across multiple image
4046				// verification attestations or context entries
4047				"validate"?: {
4048					// Deny defines conditions used to pass or fail a validation rule.
4049					"deny"?: {
4050						// Multiple conditions can be declared under an `any` or `all`
4051						// statement. A direct list
4052						// of conditions (without `any` or `all` statements) is also
4053						// supported for backwards compatibility
4054						// but will be deprecated in the next major release.
4055						// See:
4056						// https://kyverno.io/docs/writing-policies/validate/#deny-rules
4057						"conditions"?: null | bool | number | string | [...] | {
4058							...
4059						}
4060					}
4061
4062					// Message specifies a custom message to be displayed on failure.
4063					"message"?: string
4064				}
4065
4066				// VerifyDigest validates that images have a digest.
4067				"verifyDigest"?: bool
4068			}]
4069		}]
4070
4071		// Deprecated.
4072		"schemaValidation"?: bool
4073
4074		// UseServerSideApply controls whether to use server-side apply
4075		// for generate rules
4076		// If is set to "true" create & update for generate rules will use
4077		// apply instead of create/update.
4078		// Defaults to "false" if not specified.
4079		"useServerSideApply"?: bool
4080
4081		// Deprecated, use validationFailureAction under the validate rule
4082		// instead.
4083		"validationFailureAction"?: "audit" | "enforce" | "Audit" | "Enforce"
4084
4085		// Deprecated, use validationFailureActionOverrides under the
4086		// validate rule instead.
4087		"validationFailureActionOverrides"?: [...{
4088			// ValidationFailureAction defines the policy validation failure
4089			// action
4090			"action"?: "audit" | "enforce" | "Audit" | "Enforce"
4091
4092			// A label selector is a label query over a set of resources. The
4093			// result of matchLabels and
4094			// matchExpressions are ANDed. An empty label selector matches all
4095			// objects. A null
4096			// label selector matches no objects.
4097			"namespaceSelector"?: {
4098				// matchExpressions is a list of label selector requirements. The
4099				// requirements are ANDed.
4100				"matchExpressions"?: [...{
4101					// key is the label key that the selector applies to.
4102					"key"!: string
4103
4104					// operator represents a key's relationship to a set of values.
4105					// Valid operators are In, NotIn, Exists and DoesNotExist.
4106					"operator"!: string
4107
4108					// values is an array of string values. If the operator is In or
4109					// NotIn,
4110					// the values array must be non-empty. If the operator is Exists
4111					// or DoesNotExist,
4112					// the values array must be empty. This array is replaced during a
4113					// strategic
4114					// merge patch.
4115					"values"?: [...string]
4116				}]
4117
4118				// matchLabels is a map of {key,value} pairs. A single {key,value}
4119				// in the matchLabels
4120				// map is equivalent to an element of matchExpressions, whose key
4121				// field is "key", the
4122				// operator is "In", and the values array contains only "value".
4123				// The requirements are ANDed.
4124				"matchLabels"?: {
4125					[string]: string
4126				}
4127			}
4128			"namespaces"?: [...string]
4129		}]
4130
4131		// WebhookConfiguration specifies the custom configuration for
4132		// Kubernetes admission webhookconfiguration.
4133		"webhookConfiguration"?: {
4134			// FailurePolicy defines how unexpected policy errors and webhook
4135			// response timeout errors are handled.
4136			// Rules within the same policy share the same failure behavior.
4137			// This field should not be accessed directly, instead
4138			// `GetFailurePolicy()` should be used.
4139			// Allowed values are Ignore or Fail. Defaults to Fail.
4140			"failurePolicy"?: "Ignore" | "Fail"
4141
4142			// MatchCondition configures admission webhook matchConditions.
4143			// Requires Kubernetes 1.27 or later.
4144			"matchConditions"?: [...{
4145				// Expression represents the expression which will be evaluated by
4146				// CEL. Must evaluate to bool.
4147				// CEL expressions have access to the contents of the
4148				// AdmissionRequest and Authorizer, organized into CEL variables:
4149				//
4150				// 'object' - The object from the incoming request. The value is
4151				// null for DELETE requests.
4152				// 'oldObject' - The existing object. The value is null for CREATE
4153				// requests.
4154				// 'request' - Attributes of the admission
4155				// request(/pkg/apis/admission/types.go#AdmissionRequest).
4156				// 'authorizer' - A CEL Authorizer. May be used to perform
4157				// authorization checks for the principal (user or service
4158				// account) of the request.
4159				// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
4160				// 'authorizer.requestResource' - A CEL ResourceCheck constructed
4161				// from the 'authorizer' and configured with the
4162				// request resource.
4163				// Documentation on CEL:
4164				// https://kubernetes.io/docs/reference/using-api/cel/
4165				//
4166				// Required.
4167				"expression"!: string
4168
4169				// Name is an identifier for this match condition, used for
4170				// strategic merging of MatchConditions,
4171				// as well as providing an identifier for logging purposes. A good
4172				// name should be descriptive of
4173				// the associated expression.
4174				// Name must be a qualified name consisting of alphanumeric
4175				// characters, '-', '_' or '.', and
4176				// must start and end with an alphanumeric character (e.g.
4177				// 'MyName', or 'my.name', or
4178				// '123-abc', regex used for validation is
4179				// '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
4180				// optional DNS subdomain prefix and '/' (e.g.
4181				// 'example.com/MyName')
4182				//
4183				// Required.
4184				"name"!: string
4185			}]
4186
4187			// TimeoutSeconds specifies the maximum time in seconds allowed to
4188			// apply this policy.
4189			// After the configured time expires, the admission request may
4190			// fail, or may simply ignore the policy results,
4191			// based on the failure policy. The default timeout is 10s, the
4192			// value must be between 1 and 30 seconds.
4193			"timeoutSeconds"?: int32 & int
4194		}
4195
4196		// Deprecated, use webhookTimeoutSeconds under
4197		// webhookConfiguration instead.
4198		"webhookTimeoutSeconds"?: int32 & int
4199	}
4200
4201	// Deprecated. Policy metrics are available via the metrics
4202	// endpoint
4203	"status"?: {
4204		// AutogenStatus contains autogen status information.
4205		"autogen"?: {
4206			// Rules is a list of Rule instances. It contains auto generated
4207			// rules added for pod controllers
4208			"rules"?: [...{
4209				// CELPreconditions are used to determine if a policy rule should
4210				// be applied by evaluating a
4211				// set of CEL conditions. It can only be used with the
4212				// validate.cel subrule
4213				"celPreconditions"?: [...{
4214					// Expression represents the expression which will be evaluated by
4215					// CEL. Must evaluate to bool.
4216					// CEL expressions have access to the contents of the
4217					// AdmissionRequest and Authorizer, organized into CEL variables:
4218					//
4219					// 'object' - The object from the incoming request. The value is
4220					// null for DELETE requests.
4221					// 'oldObject' - The existing object. The value is null for CREATE
4222					// requests.
4223					// 'request' - Attributes of the admission
4224					// request(/pkg/apis/admission/types.go#AdmissionRequest).
4225					// 'authorizer' - A CEL Authorizer. May be used to perform
4226					// authorization checks for the principal (user or service
4227					// account) of the request.
4228					// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
4229					// 'authorizer.requestResource' - A CEL ResourceCheck constructed
4230					// from the 'authorizer' and configured with the
4231					// request resource.
4232					// Documentation on CEL:
4233					// https://kubernetes.io/docs/reference/using-api/cel/
4234					//
4235					// Required.
4236					"expression"!: string
4237
4238					// Name is an identifier for this match condition, used for
4239					// strategic merging of MatchConditions,
4240					// as well as providing an identifier for logging purposes. A good
4241					// name should be descriptive of
4242					// the associated expression.
4243					// Name must be a qualified name consisting of alphanumeric
4244					// characters, '-', '_' or '.', and
4245					// must start and end with an alphanumeric character (e.g.
4246					// 'MyName', or 'my.name', or
4247					// '123-abc', regex used for validation is
4248					// '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
4249					// optional DNS subdomain prefix and '/' (e.g.
4250					// 'example.com/MyName')
4251					//
4252					// Required.
4253					"name"!: string
4254				}]
4255
4256				// Context defines variables and data sources that can be used
4257				// during rule execution.
4258				"context"?: [...matchN(1, [{
4259					"configMap"!: _
4260				}, {
4261					"apiCall"!: _
4262				}, {
4263					"imageRegistry"!: _
4264				}, {
4265					"variable"!: _
4266				}, {
4267					"globalReference"!: _
4268				}]) & {
4269					// APICall is an HTTP request to the Kubernetes API server, or
4270					// other JSON web service.
4271					// The data returned is stored in the context with the name for
4272					// the context entry.
4273					"apiCall"?: {
4274						// The data object specifies the POST data sent to the server.
4275						// Only applicable when the method field is set to POST.
4276						"data"?: [...{
4277							// Key is a unique identifier for the data value
4278							"key"!: string
4279
4280							// Value is the data value
4281							"value"!: null | bool | number | string | [...] | {
4282								...
4283							}
4284						}]
4285
4286						// Default is an optional arbitrary JSON object that the context
4287						// value is set to, if the apiCall returns error.
4288						"default"?: null | bool | number | string | [...] | {
4289							...
4290						}
4291
4292						// JMESPath is an optional JSON Match Expression that can be used
4293						// to
4294						// transform the JSON response returned from the server. For
4295						// example
4296						// a JMESPath of "items | length(@)" applied to the API server
4297						// response
4298						// for the URLPath "/apis/apps/v1/deployments" will return the
4299						// total count
4300						// of deployments across all namespaces.
4301						"jmesPath"?: string
4302
4303						// Method is the HTTP request type (GET or POST). Defaults to GET.
4304						"method"?: "GET" | "POST"
4305
4306						// Service is an API call to a JSON web service.
4307						// This is used for non-Kubernetes API server calls.
4308						// It's mutually exclusive with the URLPath field.
4309						"service"?: {
4310							// CABundle is a PEM encoded CA bundle which will be used to
4311							// validate
4312							// the server certificate.
4313							"caBundle"?: string
4314
4315							// Headers is a list of optional HTTP headers to be included in
4316							// the request.
4317							"headers"?: [...{
4318								// Key is the header key
4319								"key"!: string
4320
4321								// Value is the header value
4322								"value"!: string
4323							}]
4324
4325							// URL is the JSON web service URL. A typical form is
4326							// `https://{service}.{namespace}:{port}/{path}`.
4327							"url"!: string
4328						}
4329
4330						// URLPath is the URL path to be used in the HTTP GET or POST
4331						// request to the
4332						// Kubernetes API server (e.g. "/api/v1/namespaces" or
4333						// "/apis/apps/v1/deployments").
4334						// The format required is the same format used by the `kubectl get
4335						// --raw` command.
4336						// See
4337						// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
4338						// for details.
4339						// It's mutually exclusive with the Service field.
4340						"urlPath"?: string
4341					}
4342
4343					// ConfigMap is the ConfigMap reference.
4344					"configMap"?: {
4345						// Name is the ConfigMap name.
4346						"name"!: string
4347
4348						// Namespace is the ConfigMap namespace.
4349						"namespace"?: string
4350					}
4351
4352					// GlobalContextEntryReference is a reference to a cached global
4353					// context entry.
4354					"globalReference"?: {
4355						// JMESPath is an optional JSON Match Expression that can be used
4356						// to
4357						// transform the JSON response returned from the server. For
4358						// example
4359						// a JMESPath of "items | length(@)" applied to the API server
4360						// response
4361						// for the URLPath "/apis/apps/v1/deployments" will return the
4362						// total count
4363						// of deployments across all namespaces.
4364						"jmesPath"?: string
4365
4366						// Name of the global context entry
4367						"name"!: string
4368					}
4369
4370					// ImageRegistry defines requests to an OCI/Docker V2 registry to
4371					// fetch image
4372					// details.
4373					"imageRegistry"?: {
4374						// ImageRegistryCredentials provides credentials that will be used
4375						// for authentication with registry
4376						"imageRegistryCredentials"?: {
4377							// AllowInsecureRegistry allows insecure access to a registry.
4378							"allowInsecureRegistry"?: bool
4379
4380							// Providers specifies a list of OCI Registry names, whose
4381							// authentication providers are provided.
4382							// It can be of one of these values:
4383							// default,google,azure,amazon,github.
4384							"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
4385
4386							// Secrets specifies a list of secrets that are provided for
4387							// credentials.
4388							// Secrets must live in the Kyverno namespace.
4389							"secrets"?: [...string]
4390						}
4391
4392						// JMESPath is an optional JSON Match Expression that can be used
4393						// to
4394						// transform the ImageData struct returned as a result of
4395						// processing
4396						// the image reference.
4397						"jmesPath"?: string
4398
4399						// Reference is image reference to a container image in the
4400						// registry.
4401						// Example: ghcr.io/kyverno/kyverno:latest
4402						"reference"!: string
4403					}
4404
4405					// Name is the variable name.
4406					"name"!: string
4407
4408					// Variable defines an arbitrary JMESPath context variable that
4409					// can be defined inline.
4410					"variable"?: {
4411						// Default is an optional arbitrary JSON object that the variable
4412						// may take if the JMESPath
4413						// expression evaluates to nil
4414						"default"?: null | bool | number | string | [...] | {
4415							...
4416						}
4417
4418						// JMESPath is an optional JMESPath Expression that can be used to
4419						// transform the variable.
4420						"jmesPath"?: string
4421
4422						// Value is any arbitrary JSON object representable in YAML or
4423						// JSON form.
4424						"value"?: null | bool | number | string | [...] | {
4425							...
4426						}
4427					}
4428				}]
4429
4430				// ExcludeResources defines when this policy rule should not be
4431				// applied. The exclude
4432				// criteria can include resource information (e.g. kind, name,
4433				// namespace, labels)
4434				// and admission review request information like the name or role.
4435				"exclude"?: matchN(0, [null | bool | number | string | [...] | {
4436					"any"!: _
4437					"all"!: _
4438				}]) & {
4439					// All allows specifying resources which will be ANDed
4440					"all"?: [...{
4441						// ClusterRoles is the list of cluster-wide role names for the
4442						// user.
4443						"clusterRoles"?: [...string]
4444
4445						// ResourceDescription contains information about the resource
4446						// being created or modified.
4447						"resources"?: matchN(0, [null | bool | number | string | [...] | {
4448							"name"!:  _
4449							"names"!: _
4450						}]) & {
4451							// Annotations is a map of annotations (key-value pairs of type
4452							// string). Annotation keys
4453							// and values support the wildcard characters "*" (matches zero or
4454							// many characters) and
4455							// "?" (matches at least one character).
4456							"annotations"?: [string]: string
4457
4458							// Kinds is a list of resource kinds.
4459							"kinds"?: [...string]
4460
4461							// Name is the name of the resource. The name supports wildcard
4462							// characters
4463							// "*" (matches zero or many characters) and "?" (at least one
4464							// character).
4465							// NOTE: "Name" is being deprecated in favor of "Names".
4466							"name"?: string
4467
4468							// Names are the names of the resources. Each name supports
4469							// wildcard characters
4470							// "*" (matches zero or many characters) and "?" (at least one
4471							// character).
4472							"names"?: [...string]
4473
4474							// NamespaceSelector is a label selector for the resource
4475							// namespace. Label keys and values
4476							// in `matchLabels` support the wildcard characters `*` (matches
4477							// zero or many characters)
4478							// and `?` (matches one character).Wildcards allows writing label
4479							// selectors like
4480							// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
4481							// any key and value but
4482							// does not match an empty label set.
4483							"namespaceSelector"?: {
4484								// matchExpressions is a list of label selector requirements. The
4485								// requirements are ANDed.
4486								"matchExpressions"?: [...{
4487									// key is the label key that the selector applies to.
4488									"key"!: string
4489
4490									// operator represents a key's relationship to a set of values.
4491									// Valid operators are In, NotIn, Exists and DoesNotExist.
4492									"operator"!: string
4493
4494									// values is an array of string values. If the operator is In or
4495									// NotIn,
4496									// the values array must be non-empty. If the operator is Exists
4497									// or DoesNotExist,
4498									// the values array must be empty. This array is replaced during a
4499									// strategic
4500									// merge patch.
4501									"values"?: [...string]
4502								}]
4503
4504								// matchLabels is a map of {key,value} pairs. A single {key,value}
4505								// in the matchLabels
4506								// map is equivalent to an element of matchExpressions, whose key
4507								// field is "key", the
4508								// operator is "In", and the values array contains only "value".
4509								// The requirements are ANDed.
4510								"matchLabels"?: {
4511									[string]: string
4512								}
4513							}
4514
4515							// Namespaces is a list of namespaces names. Each name supports
4516							// wildcard characters
4517							// "*" (matches zero or many characters) and "?" (at least one
4518							// character).
4519							"namespaces"?: [...string]
4520
4521							// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
4522							// "DELETE"], which are used to match a specific action.
4523							"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
4524
4525							// Selector is a label selector. Label keys and values in
4526							// `matchLabels` support the wildcard
4527							// characters `*` (matches zero or many characters) and `?`
4528							// (matches one character).
4529							// Wildcards allows writing label selectors like
4530							// ["storage.k8s.io/*": "*"]. Note that
4531							// using ["*" : "*"] matches any key and value but does not match
4532							// an empty label set.
4533							"selector"?: {
4534								// matchExpressions is a list of label selector requirements. The
4535								// requirements are ANDed.
4536								"matchExpressions"?: [...{
4537									// key is the label key that the selector applies to.
4538									"key"!: string
4539
4540									// operator represents a key's relationship to a set of values.
4541									// Valid operators are In, NotIn, Exists and DoesNotExist.
4542									"operator"!: string
4543
4544									// values is an array of string values. If the operator is In or
4545									// NotIn,
4546									// the values array must be non-empty. If the operator is Exists
4547									// or DoesNotExist,
4548									// the values array must be empty. This array is replaced during a
4549									// strategic
4550									// merge patch.
4551									"values"?: [...string]
4552								}]
4553
4554								// matchLabels is a map of {key,value} pairs. A single {key,value}
4555								// in the matchLabels
4556								// map is equivalent to an element of matchExpressions, whose key
4557								// field is "key", the
4558								// operator is "In", and the values array contains only "value".
4559								// The requirements are ANDed.
4560								"matchLabels"?: {
4561									[string]: string
4562								}
4563							}
4564						}
4565
4566						// Roles is the list of namespaced role names for the user.
4567						"roles"?: [...string]
4568
4569						// Subjects is the list of subject names like users, user groups,
4570						// and service accounts.
4571						"subjects"?: [...{
4572							// APIGroup holds the API group of the referenced subject.
4573							// Defaults to "" for ServiceAccount subjects.
4574							// Defaults to "rbac.authorization.k8s.io" for User and Group
4575							// subjects.
4576							"apiGroup"?: string
4577
4578							// Kind of object being referenced. Values defined by this API
4579							// group are "User", "Group", and "ServiceAccount".
4580							// If the Authorizer does not recognized the kind value, the
4581							// Authorizer should report an error.
4582							"kind"!: string
4583
4584							// Name of the object being referenced.
4585							"name"!: string
4586
4587							// Namespace of the referenced object. If the object kind is
4588							// non-namespace, such as "User" or "Group", and this value is
4589							// not empty
4590							// the Authorizer should report an error.
4591							"namespace"?: string
4592						}]
4593					}]
4594
4595					// Any allows specifying resources which will be ORed
4596					"any"?: [...{
4597						// ClusterRoles is the list of cluster-wide role names for the
4598						// user.
4599						"clusterRoles"?: [...string]
4600
4601						// ResourceDescription contains information about the resource
4602						// being created or modified.
4603						"resources"?: matchN(0, [null | bool | number | string | [...] | {
4604							"name"!:  _
4605							"names"!: _
4606						}]) & {
4607							// Annotations is a map of annotations (key-value pairs of type
4608							// string). Annotation keys
4609							// and values support the wildcard characters "*" (matches zero or
4610							// many characters) and
4611							// "?" (matches at least one character).
4612							"annotations"?: [string]: string
4613
4614							// Kinds is a list of resource kinds.
4615							"kinds"?: [...string]
4616
4617							// Name is the name of the resource. The name supports wildcard
4618							// characters
4619							// "*" (matches zero or many characters) and "?" (at least one
4620							// character).
4621							// NOTE: "Name" is being deprecated in favor of "Names".
4622							"name"?: string
4623
4624							// Names are the names of the resources. Each name supports
4625							// wildcard characters
4626							// "*" (matches zero or many characters) and "?" (at least one
4627							// character).
4628							"names"?: [...string]
4629
4630							// NamespaceSelector is a label selector for the resource
4631							// namespace. Label keys and values
4632							// in `matchLabels` support the wildcard characters `*` (matches
4633							// zero or many characters)
4634							// and `?` (matches one character).Wildcards allows writing label
4635							// selectors like
4636							// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
4637							// any key and value but
4638							// does not match an empty label set.
4639							"namespaceSelector"?: {
4640								// matchExpressions is a list of label selector requirements. The
4641								// requirements are ANDed.
4642								"matchExpressions"?: [...{
4643									// key is the label key that the selector applies to.
4644									"key"!: string
4645
4646									// operator represents a key's relationship to a set of values.
4647									// Valid operators are In, NotIn, Exists and DoesNotExist.
4648									"operator"!: string
4649
4650									// values is an array of string values. If the operator is In or
4651									// NotIn,
4652									// the values array must be non-empty. If the operator is Exists
4653									// or DoesNotExist,
4654									// the values array must be empty. This array is replaced during a
4655									// strategic
4656									// merge patch.
4657									"values"?: [...string]
4658								}]
4659
4660								// matchLabels is a map of {key,value} pairs. A single {key,value}
4661								// in the matchLabels
4662								// map is equivalent to an element of matchExpressions, whose key
4663								// field is "key", the
4664								// operator is "In", and the values array contains only "value".
4665								// The requirements are ANDed.
4666								"matchLabels"?: {
4667									[string]: string
4668								}
4669							}
4670
4671							// Namespaces is a list of namespaces names. Each name supports
4672							// wildcard characters
4673							// "*" (matches zero or many characters) and "?" (at least one
4674							// character).
4675							"namespaces"?: [...string]
4676
4677							// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
4678							// "DELETE"], which are used to match a specific action.
4679							"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
4680
4681							// Selector is a label selector. Label keys and values in
4682							// `matchLabels` support the wildcard
4683							// characters `*` (matches zero or many characters) and `?`
4684							// (matches one character).
4685							// Wildcards allows writing label selectors like
4686							// ["storage.k8s.io/*": "*"]. Note that
4687							// using ["*" : "*"] matches any key and value but does not match
4688							// an empty label set.
4689							"selector"?: {
4690								// matchExpressions is a list of label selector requirements. The
4691								// requirements are ANDed.
4692								"matchExpressions"?: [...{
4693									// key is the label key that the selector applies to.
4694									"key"!: string
4695
4696									// operator represents a key's relationship to a set of values.
4697									// Valid operators are In, NotIn, Exists and DoesNotExist.
4698									"operator"!: string
4699
4700									// values is an array of string values. If the operator is In or
4701									// NotIn,
4702									// the values array must be non-empty. If the operator is Exists
4703									// or DoesNotExist,
4704									// the values array must be empty. This array is replaced during a
4705									// strategic
4706									// merge patch.
4707									"values"?: [...string]
4708								}]
4709
4710								// matchLabels is a map of {key,value} pairs. A single {key,value}
4711								// in the matchLabels
4712								// map is equivalent to an element of matchExpressions, whose key
4713								// field is "key", the
4714								// operator is "In", and the values array contains only "value".
4715								// The requirements are ANDed.
4716								"matchLabels"?: {
4717									[string]: string
4718								}
4719							}
4720						}
4721
4722						// Roles is the list of namespaced role names for the user.
4723						"roles"?: [...string]
4724
4725						// Subjects is the list of subject names like users, user groups,
4726						// and service accounts.
4727						"subjects"?: [...{
4728							// APIGroup holds the API group of the referenced subject.
4729							// Defaults to "" for ServiceAccount subjects.
4730							// Defaults to "rbac.authorization.k8s.io" for User and Group
4731							// subjects.
4732							"apiGroup"?: string
4733
4734							// Kind of object being referenced. Values defined by this API
4735							// group are "User", "Group", and "ServiceAccount".
4736							// If the Authorizer does not recognized the kind value, the
4737							// Authorizer should report an error.
4738							"kind"!: string
4739
4740							// Name of the object being referenced.
4741							"name"!: string
4742
4743							// Namespace of the referenced object. If the object kind is
4744							// non-namespace, such as "User" or "Group", and this value is
4745							// not empty
4746							// the Authorizer should report an error.
4747							"namespace"?: string
4748						}]
4749					}]
4750
4751					// ClusterRoles is the list of cluster-wide role names for the
4752					// user.
4753					"clusterRoles"?: [...string]
4754
4755					// ResourceDescription contains information about the resource
4756					// being created or modified.
4757					// Requires at least one tag to be specified when under
4758					// MatchResources.
4759					// Specifying ResourceDescription directly under match is being
4760					// deprecated.
4761					// Please specify under "any" or "all" instead.
4762					"resources"?: matchN(0, [null | bool | number | string | [...] | {
4763						"name"!:  _
4764						"names"!: _
4765					}]) & {
4766						// Annotations is a map of annotations (key-value pairs of type
4767						// string). Annotation keys
4768						// and values support the wildcard characters "*" (matches zero or
4769						// many characters) and
4770						// "?" (matches at least one character).
4771						"annotations"?: [string]: string
4772
4773						// Kinds is a list of resource kinds.
4774						"kinds"?: [...string]
4775
4776						// Name is the name of the resource. The name supports wildcard
4777						// characters
4778						// "*" (matches zero or many characters) and "?" (at least one
4779						// character).
4780						// NOTE: "Name" is being deprecated in favor of "Names".
4781						"name"?: string
4782
4783						// Names are the names of the resources. Each name supports
4784						// wildcard characters
4785						// "*" (matches zero or many characters) and "?" (at least one
4786						// character).
4787						"names"?: [...string]
4788
4789						// NamespaceSelector is a label selector for the resource
4790						// namespace. Label keys and values
4791						// in `matchLabels` support the wildcard characters `*` (matches
4792						// zero or many characters)
4793						// and `?` (matches one character).Wildcards allows writing label
4794						// selectors like
4795						// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
4796						// any key and value but
4797						// does not match an empty label set.
4798						"namespaceSelector"?: {
4799							// matchExpressions is a list of label selector requirements. The
4800							// requirements are ANDed.
4801							"matchExpressions"?: [...{
4802								// key is the label key that the selector applies to.
4803								"key"!: string
4804
4805								// operator represents a key's relationship to a set of values.
4806								// Valid operators are In, NotIn, Exists and DoesNotExist.
4807								"operator"!: string
4808
4809								// values is an array of string values. If the operator is In or
4810								// NotIn,
4811								// the values array must be non-empty. If the operator is Exists
4812								// or DoesNotExist,
4813								// the values array must be empty. This array is replaced during a
4814								// strategic
4815								// merge patch.
4816								"values"?: [...string]
4817							}]
4818
4819							// matchLabels is a map of {key,value} pairs. A single {key,value}
4820							// in the matchLabels
4821							// map is equivalent to an element of matchExpressions, whose key
4822							// field is "key", the
4823							// operator is "In", and the values array contains only "value".
4824							// The requirements are ANDed.
4825							"matchLabels"?: {
4826								[string]: string
4827							}
4828						}
4829
4830						// Namespaces is a list of namespaces names. Each name supports
4831						// wildcard characters
4832						// "*" (matches zero or many characters) and "?" (at least one
4833						// character).
4834						"namespaces"?: [...string]
4835
4836						// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
4837						// "DELETE"], which are used to match a specific action.
4838						"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
4839
4840						// Selector is a label selector. Label keys and values in
4841						// `matchLabels` support the wildcard
4842						// characters `*` (matches zero or many characters) and `?`
4843						// (matches one character).
4844						// Wildcards allows writing label selectors like
4845						// ["storage.k8s.io/*": "*"]. Note that
4846						// using ["*" : "*"] matches any key and value but does not match
4847						// an empty label set.
4848						"selector"?: {
4849							// matchExpressions is a list of label selector requirements. The
4850							// requirements are ANDed.
4851							"matchExpressions"?: [...{
4852								// key is the label key that the selector applies to.
4853								"key"!: string
4854
4855								// operator represents a key's relationship to a set of values.
4856								// Valid operators are In, NotIn, Exists and DoesNotExist.
4857								"operator"!: string
4858
4859								// values is an array of string values. If the operator is In or
4860								// NotIn,
4861								// the values array must be non-empty. If the operator is Exists
4862								// or DoesNotExist,
4863								// the values array must be empty. This array is replaced during a
4864								// strategic
4865								// merge patch.
4866								"values"?: [...string]
4867							}]
4868
4869							// matchLabels is a map of {key,value} pairs. A single {key,value}
4870							// in the matchLabels
4871							// map is equivalent to an element of matchExpressions, whose key
4872							// field is "key", the
4873							// operator is "In", and the values array contains only "value".
4874							// The requirements are ANDed.
4875							"matchLabels"?: {
4876								[string]: string
4877							}
4878						}
4879					}
4880
4881					// Roles is the list of namespaced role names for the user.
4882					"roles"?: [...string]
4883
4884					// Subjects is the list of subject names like users, user groups,
4885					// and service accounts.
4886					"subjects"?: [...{
4887						// APIGroup holds the API group of the referenced subject.
4888						// Defaults to "" for ServiceAccount subjects.
4889						// Defaults to "rbac.authorization.k8s.io" for User and Group
4890						// subjects.
4891						"apiGroup"?: string
4892
4893						// Kind of object being referenced. Values defined by this API
4894						// group are "User", "Group", and "ServiceAccount".
4895						// If the Authorizer does not recognized the kind value, the
4896						// Authorizer should report an error.
4897						"kind"!: string
4898
4899						// Name of the object being referenced.
4900						"name"!: string
4901
4902						// Namespace of the referenced object. If the object kind is
4903						// non-namespace, such as "User" or "Group", and this value is
4904						// not empty
4905						// the Authorizer should report an error.
4906						"namespace"?: string
4907					}]
4908				}
4909
4910				// Generation is used to create new resources.
4911				"generate"?: {
4912					// APIVersion specifies resource apiVersion.
4913					"apiVersion"?: string
4914
4915					// Clone specifies the source resource used to populate each
4916					// generated resource.
4917					// At most one of Data or Clone can be specified. If neither are
4918					// provided, the generated
4919					// resource will be created with default data only.
4920					"clone"?: {
4921						// Name specifies name of the resource.
4922						"name"?: string
4923
4924						// Namespace specifies source resource namespace.
4925						"namespace"?: string
4926					}
4927
4928					// CloneList specifies the list of source resource used to
4929					// populate each generated resource.
4930					"cloneList"?: {
4931						// Kinds is a list of resource kinds.
4932						"kinds"?: [...string]
4933
4934						// Namespace specifies source resource namespace.
4935						"namespace"?: string
4936
4937						// Selector is a label selector. Label keys and values in
4938						// `matchLabels`.
4939						// wildcard characters are not supported.
4940						"selector"?: {
4941							// matchExpressions is a list of label selector requirements. The
4942							// requirements are ANDed.
4943							"matchExpressions"?: [...{
4944								// key is the label key that the selector applies to.
4945								"key"!: string
4946
4947								// operator represents a key's relationship to a set of values.
4948								// Valid operators are In, NotIn, Exists and DoesNotExist.
4949								"operator"!: string
4950
4951								// values is an array of string values. If the operator is In or
4952								// NotIn,
4953								// the values array must be non-empty. If the operator is Exists
4954								// or DoesNotExist,
4955								// the values array must be empty. This array is replaced during a
4956								// strategic
4957								// merge patch.
4958								"values"?: [...string]
4959							}]
4960
4961							// matchLabels is a map of {key,value} pairs. A single {key,value}
4962							// in the matchLabels
4963							// map is equivalent to an element of matchExpressions, whose key
4964							// field is "key", the
4965							// operator is "In", and the values array contains only "value".
4966							// The requirements are ANDed.
4967							"matchLabels"?: {
4968								[string]: string
4969							}
4970						}
4971					}
4972
4973					// Data provides the resource declaration used to populate each
4974					// generated resource.
4975					// At most one of Data or Clone must be specified. If neither are
4976					// provided, the generated
4977					// resource will be created with default data only.
4978					"data"?: null | bool | number | string | [...] | {
4979						...
4980					}
4981
4982					// ForEach applies generate rules to a list of sub-elements by
4983					// creating a context for each entry in the list and looping over
4984					// it to apply the specified logic.
4985					"foreach"?: [...{
4986						// APIVersion specifies resource apiVersion.
4987						"apiVersion"?: string
4988
4989						// Clone specifies the source resource used to populate each
4990						// generated resource.
4991						// At most one of Data or Clone can be specified. If neither are
4992						// provided, the generated
4993						// resource will be created with default data only.
4994						"clone"?: {
4995							// Name specifies name of the resource.
4996							"name"?: string
4997
4998							// Namespace specifies source resource namespace.
4999							"namespace"?: string
5000						}
5001
5002						// CloneList specifies the list of source resource used to
5003						// populate each generated resource.
5004						"cloneList"?: {
5005							// Kinds is a list of resource kinds.
5006							"kinds"?: [...string]
5007
5008							// Namespace specifies source resource namespace.
5009							"namespace"?: string
5010
5011							// Selector is a label selector. Label keys and values in
5012							// `matchLabels`.
5013							// wildcard characters are not supported.
5014							"selector"?: {
5015								// matchExpressions is a list of label selector requirements. The
5016								// requirements are ANDed.
5017								"matchExpressions"?: [...{
5018									// key is the label key that the selector applies to.
5019									"key"!: string
5020
5021									// operator represents a key's relationship to a set of values.
5022									// Valid operators are In, NotIn, Exists and DoesNotExist.
5023									"operator"!: string
5024
5025									// values is an array of string values. If the operator is In or
5026									// NotIn,
5027									// the values array must be non-empty. If the operator is Exists
5028									// or DoesNotExist,
5029									// the values array must be empty. This array is replaced during a
5030									// strategic
5031									// merge patch.
5032									"values"?: [...string]
5033								}]
5034
5035								// matchLabels is a map of {key,value} pairs. A single {key,value}
5036								// in the matchLabels
5037								// map is equivalent to an element of matchExpressions, whose key
5038								// field is "key", the
5039								// operator is "In", and the values array contains only "value".
5040								// The requirements are ANDed.
5041								"matchLabels"?: {
5042									[string]: string
5043								}
5044							}
5045						}
5046
5047						// Context defines variables and data sources that can be used
5048						// during rule execution.
5049						"context"?: [...matchN(1, [{
5050							"configMap"!: _
5051						}, {
5052							"apiCall"!: _
5053						}, {
5054							"imageRegistry"!: _
5055						}, {
5056							"variable"!: _
5057						}, {
5058							"globalReference"!: _
5059						}]) & {
5060							// APICall is an HTTP request to the Kubernetes API server, or
5061							// other JSON web service.
5062							// The data returned is stored in the context with the name for
5063							// the context entry.
5064							"apiCall"?: {
5065								// The data object specifies the POST data sent to the server.
5066								// Only applicable when the method field is set to POST.
5067								"data"?: [...{
5068									// Key is a unique identifier for the data value
5069									"key"!: string
5070
5071									// Value is the data value
5072									"value"!: null | bool | number | string | [...] | {
5073										...
5074									}
5075								}]
5076
5077								// Default is an optional arbitrary JSON object that the context
5078								// value is set to, if the apiCall returns error.
5079								"default"?: null | bool | number | string | [...] | {
5080									...
5081								}
5082
5083								// JMESPath is an optional JSON Match Expression that can be used
5084								// to
5085								// transform the JSON response returned from the server. For
5086								// example
5087								// a JMESPath of "items | length(@)" applied to the API server
5088								// response
5089								// for the URLPath "/apis/apps/v1/deployments" will return the
5090								// total count
5091								// of deployments across all namespaces.
5092								"jmesPath"?: string
5093
5094								// Method is the HTTP request type (GET or POST). Defaults to GET.
5095								"method"?: "GET" | "POST"
5096
5097								// Service is an API call to a JSON web service.
5098								// This is used for non-Kubernetes API server calls.
5099								// It's mutually exclusive with the URLPath field.
5100								"service"?: {
5101									// CABundle is a PEM encoded CA bundle which will be used to
5102									// validate
5103									// the server certificate.
5104									"caBundle"?: string
5105
5106									// Headers is a list of optional HTTP headers to be included in
5107									// the request.
5108									"headers"?: [...{
5109										// Key is the header key
5110										"key"!: string
5111
5112										// Value is the header value
5113										"value"!: string
5114									}]
5115
5116									// URL is the JSON web service URL. A typical form is
5117									// `https://{service}.{namespace}:{port}/{path}`.
5118									"url"!: string
5119								}
5120
5121								// URLPath is the URL path to be used in the HTTP GET or POST
5122								// request to the
5123								// Kubernetes API server (e.g. "/api/v1/namespaces" or
5124								// "/apis/apps/v1/deployments").
5125								// The format required is the same format used by the `kubectl get
5126								// --raw` command.
5127								// See
5128								// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
5129								// for details.
5130								// It's mutually exclusive with the Service field.
5131								"urlPath"?: string
5132							}
5133
5134							// ConfigMap is the ConfigMap reference.
5135							"configMap"?: {
5136								// Name is the ConfigMap name.
5137								"name"!: string
5138
5139								// Namespace is the ConfigMap namespace.
5140								"namespace"?: string
5141							}
5142
5143							// GlobalContextEntryReference is a reference to a cached global
5144							// context entry.
5145							"globalReference"?: {
5146								// JMESPath is an optional JSON Match Expression that can be used
5147								// to
5148								// transform the JSON response returned from the server. For
5149								// example
5150								// a JMESPath of "items | length(@)" applied to the API server
5151								// response
5152								// for the URLPath "/apis/apps/v1/deployments" will return the
5153								// total count
5154								// of deployments across all namespaces.
5155								"jmesPath"?: string
5156
5157								// Name of the global context entry
5158								"name"!: string
5159							}
5160
5161							// ImageRegistry defines requests to an OCI/Docker V2 registry to
5162							// fetch image
5163							// details.
5164							"imageRegistry"?: {
5165								// ImageRegistryCredentials provides credentials that will be used
5166								// for authentication with registry
5167								"imageRegistryCredentials"?: {
5168									// AllowInsecureRegistry allows insecure access to a registry.
5169									"allowInsecureRegistry"?: bool
5170
5171									// Providers specifies a list of OCI Registry names, whose
5172									// authentication providers are provided.
5173									// It can be of one of these values:
5174									// default,google,azure,amazon,github.
5175									"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
5176
5177									// Secrets specifies a list of secrets that are provided for
5178									// credentials.
5179									// Secrets must live in the Kyverno namespace.
5180									"secrets"?: [...string]
5181								}
5182
5183								// JMESPath is an optional JSON Match Expression that can be used
5184								// to
5185								// transform the ImageData struct returned as a result of
5186								// processing
5187								// the image reference.
5188								"jmesPath"?: string
5189
5190								// Reference is image reference to a container image in the
5191								// registry.
5192								// Example: ghcr.io/kyverno/kyverno:latest
5193								"reference"!: string
5194							}
5195
5196							// Name is the variable name.
5197							"name"!: string
5198
5199							// Variable defines an arbitrary JMESPath context variable that
5200							// can be defined inline.
5201							"variable"?: {
5202								// Default is an optional arbitrary JSON object that the variable
5203								// may take if the JMESPath
5204								// expression evaluates to nil
5205								"default"?: null | bool | number | string | [...] | {
5206									...
5207								}
5208
5209								// JMESPath is an optional JMESPath Expression that can be used to
5210								// transform the variable.
5211								"jmesPath"?: string
5212
5213								// Value is any arbitrary JSON object representable in YAML or
5214								// JSON form.
5215								"value"?: null | bool | number | string | [...] | {
5216									...
5217								}
5218							}
5219						}]
5220
5221						// Data provides the resource declaration used to populate each
5222						// generated resource.
5223						// At most one of Data or Clone must be specified. If neither are
5224						// provided, the generated
5225						// resource will be created with default data only.
5226						"data"?: null | bool | number | string | [...] | {
5227							...
5228						}
5229
5230						// Kind specifies resource kind.
5231						"kind"?: string
5232
5233						// List specifies a JMESPath expression that results in one or
5234						// more elements
5235						// to which the validation logic is applied.
5236						"list"?: string
5237
5238						// Name specifies the resource name.
5239						"name"?: string
5240
5241						// Namespace specifies resource namespace.
5242						"namespace"?: string
5243
5244						// AnyAllConditions are used to determine if a policy rule should
5245						// be applied by evaluating a
5246						// set of conditions. The declaration can contain nested `any` or
5247						// `all` statements.
5248						// See: https://kyverno.io/docs/writing-policies/preconditions/
5249						"preconditions"?: {
5250							// AllConditions enable variable-based conditional rule execution.
5251							// This is useful for
5252							// finer control of when an rule is applied. A condition can
5253							// reference object data
5254							// using JMESPath notation.
5255							// Here, all of the conditions need to pass
5256							"all"?: [...{
5257								// Key is the context entry (using JMESPath) for conditional rule
5258								// evaluation.
5259								"key"?: null | bool | number | string | [...] | {
5260									...
5261								}
5262
5263								// Message is an optional display message
5264								"message"?: string
5265
5266								// Operator is the conditional operation to perform. Valid
5267								// operators are:
5268								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
5269								// GreaterThanOrEquals,
5270								// GreaterThan, LessThanOrEquals, LessThan,
5271								// DurationGreaterThanOrEquals, DurationGreaterThan,
5272								// DurationLessThanOrEquals, DurationLessThan
5273								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
5274
5275								// Value is the conditional value, or set of values. The values
5276								// can be fixed set
5277								// or can be variables declared using JMESPath.
5278								"value"?: null | bool | number | string | [...] | {
5279									...
5280								}
5281							}]
5282
5283							// AnyConditions enable variable-based conditional rule execution.
5284							// This is useful for
5285							// finer control of when an rule is applied. A condition can
5286							// reference object data
5287							// using JMESPath notation.
5288							// Here, at least one of the conditions need to pass
5289							"any"?: [...{
5290								// Key is the context entry (using JMESPath) for conditional rule
5291								// evaluation.
5292								"key"?: null | bool | number | string | [...] | {
5293									...
5294								}
5295
5296								// Message is an optional display message
5297								"message"?: string
5298
5299								// Operator is the conditional operation to perform. Valid
5300								// operators are:
5301								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
5302								// GreaterThanOrEquals,
5303								// GreaterThan, LessThanOrEquals, LessThan,
5304								// DurationGreaterThanOrEquals, DurationGreaterThan,
5305								// DurationLessThanOrEquals, DurationLessThan
5306								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
5307
5308								// Value is the conditional value, or set of values. The values
5309								// can be fixed set
5310								// or can be variables declared using JMESPath.
5311								"value"?: null | bool | number | string | [...] | {
5312									...
5313								}
5314							}]
5315							...
5316						}
5317
5318						// UID specifies the resource uid.
5319						"uid"?: string
5320					}]
5321
5322					// GenerateExisting controls whether to trigger the rule in
5323					// existing resources
5324					// If is set to "true" the rule will be triggered and applied to
5325					// existing matched resources.
5326					"generateExisting"?: bool
5327
5328					// Kind specifies resource kind.
5329					"kind"?: string
5330
5331					// Name specifies the resource name.
5332					"name"?: string
5333
5334					// Namespace specifies resource namespace.
5335					"namespace"?: string
5336
5337					// OrphanDownstreamOnPolicyDelete controls whether generated
5338					// resources should be deleted when the rule that generated
5339					// them is deleted with synchronization enabled. This option is
5340					// only applicable to generate rules of the data type.
5341					// See
5342					// https://kyverno.io/docs/writing-policies/generate/#data-examples.
5343					// Defaults to "false" if not specified.
5344					"orphanDownstreamOnPolicyDelete"?: bool
5345
5346					// Synchronize controls if generated resources should be kept
5347					// in-sync with their source resource.
5348					// If Synchronize is set to "true" changes to generated resources
5349					// will be overwritten with resource
5350					// data from Data or the resource specified in the Clone
5351					// declaration.
5352					// Optional. Defaults to "false" if not specified.
5353					"synchronize"?: bool
5354
5355					// UID specifies the resource uid.
5356					"uid"?: string
5357				}
5358
5359				// ImageExtractors defines a mapping from kinds to
5360				// ImageExtractorConfigs.
5361				// This config is only valid for verifyImages rules.
5362				"imageExtractors"?: {
5363					[string]: [...{
5364						// JMESPath is an optional JMESPath expression to apply to the
5365						// image value.
5366						// This is useful when the extracted image begins with a prefix
5367						// like 'docker://'.
5368						// The 'trim_prefix' function may be used to trim the prefix:
5369						// trim_prefix(@, 'docker://').
5370						// Note - Image digest mutation may not be used when applying a
5371						// JMESPAth to an image.
5372						"jmesPath"?: string
5373
5374						// Key is an optional name of the field within 'path' that will be
5375						// used to uniquely identify an image.
5376						// Note - this field MUST be unique.
5377						"key"?: string
5378
5379						// Name is the entry the image will be available under
5380						// 'images.<name>' in the context.
5381						// If this field is not defined, image entries will appear under
5382						// 'images.custom'.
5383						"name"?: string
5384
5385						// Path is the path to the object containing the image field in a
5386						// custom resource.
5387						// It should be slash-separated. Each slash-separated key must be
5388						// a valid YAML key or a wildcard '*'.
5389						// Wildcard keys are expanded in case of arrays or objects.
5390						"path"!: string
5391
5392						// Value is an optional name of the field within 'path' that
5393						// points to the image URI.
5394						// This is useful when a custom 'key' is also defined.
5395						"value"?: string
5396					}]
5397				}
5398
5399				// MatchResources defines when this policy rule should be applied.
5400				// The match
5401				// criteria can include resource information (e.g. kind, name,
5402				// namespace, labels)
5403				// and admission review request information like the user name or
5404				// role.
5405				// At least one kind is required.
5406				"match"!: matchN(0, [null | bool | number | string | [...] | {
5407					"any"!: _
5408					"all"!: _
5409				}]) & {
5410					// All allows specifying resources which will be ANDed
5411					"all"?: [...{
5412						// ClusterRoles is the list of cluster-wide role names for the
5413						// user.
5414						"clusterRoles"?: [...string]
5415
5416						// ResourceDescription contains information about the resource
5417						// being created or modified.
5418						"resources"?: matchN(0, [null | bool | number | string | [...] | {
5419							"name"!:  _
5420							"names"!: _
5421						}]) & {
5422							// Annotations is a map of annotations (key-value pairs of type
5423							// string). Annotation keys
5424							// and values support the wildcard characters "*" (matches zero or
5425							// many characters) and
5426							// "?" (matches at least one character).
5427							"annotations"?: [string]: string
5428
5429							// Kinds is a list of resource kinds.
5430							"kinds"?: [...string]
5431
5432							// Name is the name of the resource. The name supports wildcard
5433							// characters
5434							// "*" (matches zero or many characters) and "?" (at least one
5435							// character).
5436							// NOTE: "Name" is being deprecated in favor of "Names".
5437							"name"?: string
5438
5439							// Names are the names of the resources. Each name supports
5440							// wildcard characters
5441							// "*" (matches zero or many characters) and "?" (at least one
5442							// character).
5443							"names"?: [...string]
5444
5445							// NamespaceSelector is a label selector for the resource
5446							// namespace. Label keys and values
5447							// in `matchLabels` support the wildcard characters `*` (matches
5448							// zero or many characters)
5449							// and `?` (matches one character).Wildcards allows writing label
5450							// selectors like
5451							// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
5452							// any key and value but
5453							// does not match an empty label set.
5454							"namespaceSelector"?: {
5455								// matchExpressions is a list of label selector requirements. The
5456								// requirements are ANDed.
5457								"matchExpressions"?: [...{
5458									// key is the label key that the selector applies to.
5459									"key"!: string
5460
5461									// operator represents a key's relationship to a set of values.
5462									// Valid operators are In, NotIn, Exists and DoesNotExist.
5463									"operator"!: string
5464
5465									// values is an array of string values. If the operator is In or
5466									// NotIn,
5467									// the values array must be non-empty. If the operator is Exists
5468									// or DoesNotExist,
5469									// the values array must be empty. This array is replaced during a
5470									// strategic
5471									// merge patch.
5472									"values"?: [...string]
5473								}]
5474
5475								// matchLabels is a map of {key,value} pairs. A single {key,value}
5476								// in the matchLabels
5477								// map is equivalent to an element of matchExpressions, whose key
5478								// field is "key", the
5479								// operator is "In", and the values array contains only "value".
5480								// The requirements are ANDed.
5481								"matchLabels"?: {
5482									[string]: string
5483								}
5484							}
5485
5486							// Namespaces is a list of namespaces names. Each name supports
5487							// wildcard characters
5488							// "*" (matches zero or many characters) and "?" (at least one
5489							// character).
5490							"namespaces"?: [...string]
5491
5492							// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
5493							// "DELETE"], which are used to match a specific action.
5494							"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
5495
5496							// Selector is a label selector. Label keys and values in
5497							// `matchLabels` support the wildcard
5498							// characters `*` (matches zero or many characters) and `?`
5499							// (matches one character).
5500							// Wildcards allows writing label selectors like
5501							// ["storage.k8s.io/*": "*"]. Note that
5502							// using ["*" : "*"] matches any key and value but does not match
5503							// an empty label set.
5504							"selector"?: {
5505								// matchExpressions is a list of label selector requirements. The
5506								// requirements are ANDed.
5507								"matchExpressions"?: [...{
5508									// key is the label key that the selector applies to.
5509									"key"!: string
5510
5511									// operator represents a key's relationship to a set of values.
5512									// Valid operators are In, NotIn, Exists and DoesNotExist.
5513									"operator"!: string
5514
5515									// values is an array of string values. If the operator is In or
5516									// NotIn,
5517									// the values array must be non-empty. If the operator is Exists
5518									// or DoesNotExist,
5519									// the values array must be empty. This array is replaced during a
5520									// strategic
5521									// merge patch.
5522									"values"?: [...string]
5523								}]
5524
5525								// matchLabels is a map of {key,value} pairs. A single {key,value}
5526								// in the matchLabels
5527								// map is equivalent to an element of matchExpressions, whose key
5528								// field is "key", the
5529								// operator is "In", and the values array contains only "value".
5530								// The requirements are ANDed.
5531								"matchLabels"?: {
5532									[string]: string
5533								}
5534							}
5535						}
5536
5537						// Roles is the list of namespaced role names for the user.
5538						"roles"?: [...string]
5539
5540						// Subjects is the list of subject names like users, user groups,
5541						// and service accounts.
5542						"subjects"?: [...{
5543							// APIGroup holds the API group of the referenced subject.
5544							// Defaults to "" for ServiceAccount subjects.
5545							// Defaults to "rbac.authorization.k8s.io" for User and Group
5546							// subjects.
5547							"apiGroup"?: string
5548
5549							// Kind of object being referenced. Values defined by this API
5550							// group are "User", "Group", and "ServiceAccount".
5551							// If the Authorizer does not recognized the kind value, the
5552							// Authorizer should report an error.
5553							"kind"!: string
5554
5555							// Name of the object being referenced.
5556							"name"!: string
5557
5558							// Namespace of the referenced object. If the object kind is
5559							// non-namespace, such as "User" or "Group", and this value is
5560							// not empty
5561							// the Authorizer should report an error.
5562							"namespace"?: string
5563						}]
5564					}]
5565
5566					// Any allows specifying resources which will be ORed
5567					"any"?: [...{
5568						// ClusterRoles is the list of cluster-wide role names for the
5569						// user.
5570						"clusterRoles"?: [...string]
5571
5572						// ResourceDescription contains information about the resource
5573						// being created or modified.
5574						"resources"?: matchN(0, [null | bool | number | string | [...] | {
5575							"name"!:  _
5576							"names"!: _
5577						}]) & {
5578							// Annotations is a map of annotations (key-value pairs of type
5579							// string). Annotation keys
5580							// and values support the wildcard characters "*" (matches zero or
5581							// many characters) and
5582							// "?" (matches at least one character).
5583							"annotations"?: [string]: string
5584
5585							// Kinds is a list of resource kinds.
5586							"kinds"?: [...string]
5587
5588							// Name is the name of the resource. The name supports wildcard
5589							// characters
5590							// "*" (matches zero or many characters) and "?" (at least one
5591							// character).
5592							// NOTE: "Name" is being deprecated in favor of "Names".
5593							"name"?: string
5594
5595							// Names are the names of the resources. Each name supports
5596							// wildcard characters
5597							// "*" (matches zero or many characters) and "?" (at least one
5598							// character).
5599							"names"?: [...string]
5600
5601							// NamespaceSelector is a label selector for the resource
5602							// namespace. Label keys and values
5603							// in `matchLabels` support the wildcard characters `*` (matches
5604							// zero or many characters)
5605							// and `?` (matches one character).Wildcards allows writing label
5606							// selectors like
5607							// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
5608							// any key and value but
5609							// does not match an empty label set.
5610							"namespaceSelector"?: {
5611								// matchExpressions is a list of label selector requirements. The
5612								// requirements are ANDed.
5613								"matchExpressions"?: [...{
5614									// key is the label key that the selector applies to.
5615									"key"!: string
5616
5617									// operator represents a key's relationship to a set of values.
5618									// Valid operators are In, NotIn, Exists and DoesNotExist.
5619									"operator"!: string
5620
5621									// values is an array of string values. If the operator is In or
5622									// NotIn,
5623									// the values array must be non-empty. If the operator is Exists
5624									// or DoesNotExist,
5625									// the values array must be empty. This array is replaced during a
5626									// strategic
5627									// merge patch.
5628									"values"?: [...string]
5629								}]
5630
5631								// matchLabels is a map of {key,value} pairs. A single {key,value}
5632								// in the matchLabels
5633								// map is equivalent to an element of matchExpressions, whose key
5634								// field is "key", the
5635								// operator is "In", and the values array contains only "value".
5636								// The requirements are ANDed.
5637								"matchLabels"?: {
5638									[string]: string
5639								}
5640							}
5641
5642							// Namespaces is a list of namespaces names. Each name supports
5643							// wildcard characters
5644							// "*" (matches zero or many characters) and "?" (at least one
5645							// character).
5646							"namespaces"?: [...string]
5647
5648							// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
5649							// "DELETE"], which are used to match a specific action.
5650							"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
5651
5652							// Selector is a label selector. Label keys and values in
5653							// `matchLabels` support the wildcard
5654							// characters `*` (matches zero or many characters) and `?`
5655							// (matches one character).
5656							// Wildcards allows writing label selectors like
5657							// ["storage.k8s.io/*": "*"]. Note that
5658							// using ["*" : "*"] matches any key and value but does not match
5659							// an empty label set.
5660							"selector"?: {
5661								// matchExpressions is a list of label selector requirements. The
5662								// requirements are ANDed.
5663								"matchExpressions"?: [...{
5664									// key is the label key that the selector applies to.
5665									"key"!: string
5666
5667									// operator represents a key's relationship to a set of values.
5668									// Valid operators are In, NotIn, Exists and DoesNotExist.
5669									"operator"!: string
5670
5671									// values is an array of string values. If the operator is In or
5672									// NotIn,
5673									// the values array must be non-empty. If the operator is Exists
5674									// or DoesNotExist,
5675									// the values array must be empty. This array is replaced during a
5676									// strategic
5677									// merge patch.
5678									"values"?: [...string]
5679								}]
5680
5681								// matchLabels is a map of {key,value} pairs. A single {key,value}
5682								// in the matchLabels
5683								// map is equivalent to an element of matchExpressions, whose key
5684								// field is "key", the
5685								// operator is "In", and the values array contains only "value".
5686								// The requirements are ANDed.
5687								"matchLabels"?: {
5688									[string]: string
5689								}
5690							}
5691						}
5692
5693						// Roles is the list of namespaced role names for the user.
5694						"roles"?: [...string]
5695
5696						// Subjects is the list of subject names like users, user groups,
5697						// and service accounts.
5698						"subjects"?: [...{
5699							// APIGroup holds the API group of the referenced subject.
5700							// Defaults to "" for ServiceAccount subjects.
5701							// Defaults to "rbac.authorization.k8s.io" for User and Group
5702							// subjects.
5703							"apiGroup"?: string
5704
5705							// Kind of object being referenced. Values defined by this API
5706							// group are "User", "Group", and "ServiceAccount".
5707							// If the Authorizer does not recognized the kind value, the
5708							// Authorizer should report an error.
5709							"kind"!: string
5710
5711							// Name of the object being referenced.
5712							"name"!: string
5713
5714							// Namespace of the referenced object. If the object kind is
5715							// non-namespace, such as "User" or "Group", and this value is
5716							// not empty
5717							// the Authorizer should report an error.
5718							"namespace"?: string
5719						}]
5720					}]
5721
5722					// ClusterRoles is the list of cluster-wide role names for the
5723					// user.
5724					"clusterRoles"?: [...string]
5725
5726					// ResourceDescription contains information about the resource
5727					// being created or modified.
5728					// Requires at least one tag to be specified when under
5729					// MatchResources.
5730					// Specifying ResourceDescription directly under match is being
5731					// deprecated.
5732					// Please specify under "any" or "all" instead.
5733					"resources"?: matchN(0, [null | bool | number | string | [...] | {
5734						"name"!:  _
5735						"names"!: _
5736					}]) & {
5737						// Annotations is a map of annotations (key-value pairs of type
5738						// string). Annotation keys
5739						// and values support the wildcard characters "*" (matches zero or
5740						// many characters) and
5741						// "?" (matches at least one character).
5742						"annotations"?: [string]: string
5743
5744						// Kinds is a list of resource kinds.
5745						"kinds"?: [...string]
5746
5747						// Name is the name of the resource. The name supports wildcard
5748						// characters
5749						// "*" (matches zero or many characters) and "?" (at least one
5750						// character).
5751						// NOTE: "Name" is being deprecated in favor of "Names".
5752						"name"?: string
5753
5754						// Names are the names of the resources. Each name supports
5755						// wildcard characters
5756						// "*" (matches zero or many characters) and "?" (at least one
5757						// character).
5758						"names"?: [...string]
5759
5760						// NamespaceSelector is a label selector for the resource
5761						// namespace. Label keys and values
5762						// in `matchLabels` support the wildcard characters `*` (matches
5763						// zero or many characters)
5764						// and `?` (matches one character).Wildcards allows writing label
5765						// selectors like
5766						// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
5767						// any key and value but
5768						// does not match an empty label set.
5769						"namespaceSelector"?: {
5770							// matchExpressions is a list of label selector requirements. The
5771							// requirements are ANDed.
5772							"matchExpressions"?: [...{
5773								// key is the label key that the selector applies to.
5774								"key"!: string
5775
5776								// operator represents a key's relationship to a set of values.
5777								// Valid operators are In, NotIn, Exists and DoesNotExist.
5778								"operator"!: string
5779
5780								// values is an array of string values. If the operator is In or
5781								// NotIn,
5782								// the values array must be non-empty. If the operator is Exists
5783								// or DoesNotExist,
5784								// the values array must be empty. This array is replaced during a
5785								// strategic
5786								// merge patch.
5787								"values"?: [...string]
5788							}]
5789
5790							// matchLabels is a map of {key,value} pairs. A single {key,value}
5791							// in the matchLabels
5792							// map is equivalent to an element of matchExpressions, whose key
5793							// field is "key", the
5794							// operator is "In", and the values array contains only "value".
5795							// The requirements are ANDed.
5796							"matchLabels"?: {
5797								[string]: string
5798							}
5799						}
5800
5801						// Namespaces is a list of namespaces names. Each name supports
5802						// wildcard characters
5803						// "*" (matches zero or many characters) and "?" (at least one
5804						// character).
5805						"namespaces"?: [...string]
5806
5807						// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
5808						// "DELETE"], which are used to match a specific action.
5809						"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
5810
5811						// Selector is a label selector. Label keys and values in
5812						// `matchLabels` support the wildcard
5813						// characters `*` (matches zero or many characters) and `?`
5814						// (matches one character).
5815						// Wildcards allows writing label selectors like
5816						// ["storage.k8s.io/*": "*"]. Note that
5817						// using ["*" : "*"] matches any key and value but does not match
5818						// an empty label set.
5819						"selector"?: {
5820							// matchExpressions is a list of label selector requirements. The
5821							// requirements are ANDed.
5822							"matchExpressions"?: [...{
5823								// key is the label key that the selector applies to.
5824								"key"!: string
5825
5826								// operator represents a key's relationship to a set of values.
5827								// Valid operators are In, NotIn, Exists and DoesNotExist.
5828								"operator"!: string
5829
5830								// values is an array of string values. If the operator is In or
5831								// NotIn,
5832								// the values array must be non-empty. If the operator is Exists
5833								// or DoesNotExist,
5834								// the values array must be empty. This array is replaced during a
5835								// strategic
5836								// merge patch.
5837								"values"?: [...string]
5838							}]
5839
5840							// matchLabels is a map of {key,value} pairs. A single {key,value}
5841							// in the matchLabels
5842							// map is equivalent to an element of matchExpressions, whose key
5843							// field is "key", the
5844							// operator is "In", and the values array contains only "value".
5845							// The requirements are ANDed.
5846							"matchLabels"?: {
5847								[string]: string
5848							}
5849						}
5850					}
5851
5852					// Roles is the list of namespaced role names for the user.
5853					"roles"?: [...string]
5854
5855					// Subjects is the list of subject names like users, user groups,
5856					// and service accounts.
5857					"subjects"?: [...{
5858						// APIGroup holds the API group of the referenced subject.
5859						// Defaults to "" for ServiceAccount subjects.
5860						// Defaults to "rbac.authorization.k8s.io" for User and Group
5861						// subjects.
5862						"apiGroup"?: string
5863
5864						// Kind of object being referenced. Values defined by this API
5865						// group are "User", "Group", and "ServiceAccount".
5866						// If the Authorizer does not recognized the kind value, the
5867						// Authorizer should report an error.
5868						"kind"!: string
5869
5870						// Name of the object being referenced.
5871						"name"!: string
5872
5873						// Namespace of the referenced object. If the object kind is
5874						// non-namespace, such as "User" or "Group", and this value is
5875						// not empty
5876						// the Authorizer should report an error.
5877						"namespace"?: string
5878					}]
5879				}
5880
5881				// Mutation is used to modify matching resources.
5882				"mutate"?: {
5883					// ForEach applies mutation rules to a list of sub-elements by
5884					// creating a context for each entry in the list and looping over
5885					// it to apply the specified logic.
5886					"foreach"?: [...{
5887						// Context defines variables and data sources that can be used
5888						// during rule execution.
5889						"context"?: [...matchN(1, [{
5890							"configMap"!: _
5891						}, {
5892							"apiCall"!: _
5893						}, {
5894							"imageRegistry"!: _
5895						}, {
5896							"variable"!: _
5897						}, {
5898							"globalReference"!: _
5899						}]) & {
5900							// APICall is an HTTP request to the Kubernetes API server, or
5901							// other JSON web service.
5902							// The data returned is stored in the context with the name for
5903							// the context entry.
5904							"apiCall"?: {
5905								// The data object specifies the POST data sent to the server.
5906								// Only applicable when the method field is set to POST.
5907								"data"?: [...{
5908									// Key is a unique identifier for the data value
5909									"key"!: string
5910
5911									// Value is the data value
5912									"value"!: null | bool | number | string | [...] | {
5913										...
5914									}
5915								}]
5916
5917								// Default is an optional arbitrary JSON object that the context
5918								// value is set to, if the apiCall returns error.
5919								"default"?: null | bool | number | string | [...] | {
5920									...
5921								}
5922
5923								// JMESPath is an optional JSON Match Expression that can be used
5924								// to
5925								// transform the JSON response returned from the server. For
5926								// example
5927								// a JMESPath of "items | length(@)" applied to the API server
5928								// response
5929								// for the URLPath "/apis/apps/v1/deployments" will return the
5930								// total count
5931								// of deployments across all namespaces.
5932								"jmesPath"?: string
5933
5934								// Method is the HTTP request type (GET or POST). Defaults to GET.
5935								"method"?: "GET" | "POST"
5936
5937								// Service is an API call to a JSON web service.
5938								// This is used for non-Kubernetes API server calls.
5939								// It's mutually exclusive with the URLPath field.
5940								"service"?: {
5941									// CABundle is a PEM encoded CA bundle which will be used to
5942									// validate
5943									// the server certificate.
5944									"caBundle"?: string
5945
5946									// Headers is a list of optional HTTP headers to be included in
5947									// the request.
5948									"headers"?: [...{
5949										// Key is the header key
5950										"key"!: string
5951
5952										// Value is the header value
5953										"value"!: string
5954									}]
5955
5956									// URL is the JSON web service URL. A typical form is
5957									// `https://{service}.{namespace}:{port}/{path}`.
5958									"url"!: string
5959								}
5960
5961								// URLPath is the URL path to be used in the HTTP GET or POST
5962								// request to the
5963								// Kubernetes API server (e.g. "/api/v1/namespaces" or
5964								// "/apis/apps/v1/deployments").
5965								// The format required is the same format used by the `kubectl get
5966								// --raw` command.
5967								// See
5968								// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
5969								// for details.
5970								// It's mutually exclusive with the Service field.
5971								"urlPath"?: string
5972							}
5973
5974							// ConfigMap is the ConfigMap reference.
5975							"configMap"?: {
5976								// Name is the ConfigMap name.
5977								"name"!: string
5978
5979								// Namespace is the ConfigMap namespace.
5980								"namespace"?: string
5981							}
5982
5983							// GlobalContextEntryReference is a reference to a cached global
5984							// context entry.
5985							"globalReference"?: {
5986								// JMESPath is an optional JSON Match Expression that can be used
5987								// to
5988								// transform the JSON response returned from the server. For
5989								// example
5990								// a JMESPath of "items | length(@)" applied to the API server
5991								// response
5992								// for the URLPath "/apis/apps/v1/deployments" will return the
5993								// total count
5994								// of deployments across all namespaces.
5995								"jmesPath"?: string
5996
5997								// Name of the global context entry
5998								"name"!: string
5999							}
6000
6001							// ImageRegistry defines requests to an OCI/Docker V2 registry to
6002							// fetch image
6003							// details.
6004							"imageRegistry"?: {
6005								// ImageRegistryCredentials provides credentials that will be used
6006								// for authentication with registry
6007								"imageRegistryCredentials"?: {
6008									// AllowInsecureRegistry allows insecure access to a registry.
6009									"allowInsecureRegistry"?: bool
6010
6011									// Providers specifies a list of OCI Registry names, whose
6012									// authentication providers are provided.
6013									// It can be of one of these values:
6014									// default,google,azure,amazon,github.
6015									"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
6016
6017									// Secrets specifies a list of secrets that are provided for
6018									// credentials.
6019									// Secrets must live in the Kyverno namespace.
6020									"secrets"?: [...string]
6021								}
6022
6023								// JMESPath is an optional JSON Match Expression that can be used
6024								// to
6025								// transform the ImageData struct returned as a result of
6026								// processing
6027								// the image reference.
6028								"jmesPath"?: string
6029
6030								// Reference is image reference to a container image in the
6031								// registry.
6032								// Example: ghcr.io/kyverno/kyverno:latest
6033								"reference"!: string
6034							}
6035
6036							// Name is the variable name.
6037							"name"!: string
6038
6039							// Variable defines an arbitrary JMESPath context variable that
6040							// can be defined inline.
6041							"variable"?: {
6042								// Default is an optional arbitrary JSON object that the variable
6043								// may take if the JMESPath
6044								// expression evaluates to nil
6045								"default"?: null | bool | number | string | [...] | {
6046									...
6047								}
6048
6049								// JMESPath is an optional JMESPath Expression that can be used to
6050								// transform the variable.
6051								"jmesPath"?: string
6052
6053								// Value is any arbitrary JSON object representable in YAML or
6054								// JSON form.
6055								"value"?: null | bool | number | string | [...] | {
6056									...
6057								}
6058							}
6059						}]
6060
6061						// Foreach declares a nested foreach iterator
6062						"foreach"?: null | bool | number | string | [...] | {
6063							...
6064						}
6065
6066						// List specifies a JMESPath expression that results in one or
6067						// more elements
6068						// to which the validation logic is applied.
6069						"list"?: string
6070
6071						// Order defines the iteration order on the list.
6072						// Can be Ascending to iterate from first to last element or
6073						// Descending to iterate in from last to first element.
6074						"order"?: "Ascending" | "Descending"
6075
6076						// PatchStrategicMerge is a strategic merge patch used to modify
6077						// resources.
6078						// See
6079						// https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
6080						// and
6081						// https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
6082						"patchStrategicMerge"?: null | bool | number | string | [...] | {
6083							...
6084						}
6085
6086						// PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
6087						// used to modify resources.
6088						// See https://tools.ietf.org/html/rfc6902 and
6089						// https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
6090						"patchesJson6902"?: string
6091
6092						// AnyAllConditions are used to determine if a policy rule should
6093						// be applied by evaluating a
6094						// set of conditions. The declaration can contain nested `any` or
6095						// `all` statements.
6096						// See: https://kyverno.io/docs/writing-policies/preconditions/
6097						"preconditions"?: {
6098							// AllConditions enable variable-based conditional rule execution.
6099							// This is useful for
6100							// finer control of when an rule is applied. A condition can
6101							// reference object data
6102							// using JMESPath notation.
6103							// Here, all of the conditions need to pass
6104							"all"?: [...{
6105								// Key is the context entry (using JMESPath) for conditional rule
6106								// evaluation.
6107								"key"?: null | bool | number | string | [...] | {
6108									...
6109								}
6110
6111								// Message is an optional display message
6112								"message"?: string
6113
6114								// Operator is the conditional operation to perform. Valid
6115								// operators are:
6116								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
6117								// GreaterThanOrEquals,
6118								// GreaterThan, LessThanOrEquals, LessThan,
6119								// DurationGreaterThanOrEquals, DurationGreaterThan,
6120								// DurationLessThanOrEquals, DurationLessThan
6121								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
6122
6123								// Value is the conditional value, or set of values. The values
6124								// can be fixed set
6125								// or can be variables declared using JMESPath.
6126								"value"?: null | bool | number | string | [...] | {
6127									...
6128								}
6129							}]
6130
6131							// AnyConditions enable variable-based conditional rule execution.
6132							// This is useful for
6133							// finer control of when an rule is applied. A condition can
6134							// reference object data
6135							// using JMESPath notation.
6136							// Here, at least one of the conditions need to pass
6137							"any"?: [...{
6138								// Key is the context entry (using JMESPath) for conditional rule
6139								// evaluation.
6140								"key"?: null | bool | number | string | [...] | {
6141									...
6142								}
6143
6144								// Message is an optional display message
6145								"message"?: string
6146
6147								// Operator is the conditional operation to perform. Valid
6148								// operators are:
6149								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
6150								// GreaterThanOrEquals,
6151								// GreaterThan, LessThanOrEquals, LessThan,
6152								// DurationGreaterThanOrEquals, DurationGreaterThan,
6153								// DurationLessThanOrEquals, DurationLessThan
6154								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
6155
6156								// Value is the conditional value, or set of values. The values
6157								// can be fixed set
6158								// or can be variables declared using JMESPath.
6159								"value"?: null | bool | number | string | [...] | {
6160									...
6161								}
6162							}]
6163							...
6164						}
6165					}]
6166
6167					// MutateExistingOnPolicyUpdate controls if the mutateExisting
6168					// rule will be applied on policy events.
6169					"mutateExistingOnPolicyUpdate"?: bool
6170
6171					// PatchStrategicMerge is a strategic merge patch used to modify
6172					// resources.
6173					// See
6174					// https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
6175					// and
6176					// https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
6177					"patchStrategicMerge"?: null | bool | number | string | [...] | {
6178						...
6179					}
6180
6181					// PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
6182					// used to modify resources.
6183					// See https://tools.ietf.org/html/rfc6902 and
6184					// https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
6185					"patchesJson6902"?: string
6186
6187					// Targets defines the target resources to be mutated.
6188					"targets"?: [...{
6189						// APIVersion specifies resource apiVersion.
6190						"apiVersion"?: string
6191
6192						// Context defines variables and data sources that can be used
6193						// during rule execution.
6194						"context"?: [...matchN(1, [{
6195							"configMap"!: _
6196						}, {
6197							"apiCall"!: _
6198						}, {
6199							"imageRegistry"!: _
6200						}, {
6201							"variable"!: _
6202						}, {
6203							"globalReference"!: _
6204						}]) & {
6205							// APICall is an HTTP request to the Kubernetes API server, or
6206							// other JSON web service.
6207							// The data returned is stored in the context with the name for
6208							// the context entry.
6209							"apiCall"?: {
6210								// The data object specifies the POST data sent to the server.
6211								// Only applicable when the method field is set to POST.
6212								"data"?: [...{
6213									// Key is a unique identifier for the data value
6214									"key"!: string
6215
6216									// Value is the data value
6217									"value"!: null | bool | number | string | [...] | {
6218										...
6219									}
6220								}]
6221
6222								// Default is an optional arbitrary JSON object that the context
6223								// value is set to, if the apiCall returns error.
6224								"default"?: null | bool | number | string | [...] | {
6225									...
6226								}
6227
6228								// JMESPath is an optional JSON Match Expression that can be used
6229								// to
6230								// transform the JSON response returned from the server. For
6231								// example
6232								// a JMESPath of "items | length(@)" applied to the API server
6233								// response
6234								// for the URLPath "/apis/apps/v1/deployments" will return the
6235								// total count
6236								// of deployments across all namespaces.
6237								"jmesPath"?: string
6238
6239								// Method is the HTTP request type (GET or POST). Defaults to GET.
6240								"method"?: "GET" | "POST"
6241
6242								// Service is an API call to a JSON web service.
6243								// This is used for non-Kubernetes API server calls.
6244								// It's mutually exclusive with the URLPath field.
6245								"service"?: {
6246									// CABundle is a PEM encoded CA bundle which will be used to
6247									// validate
6248									// the server certificate.
6249									"caBundle"?: string
6250
6251									// Headers is a list of optional HTTP headers to be included in
6252									// the request.
6253									"headers"?: [...{
6254										// Key is the header key
6255										"key"!: string
6256
6257										// Value is the header value
6258										"value"!: string
6259									}]
6260
6261									// URL is the JSON web service URL. A typical form is
6262									// `https://{service}.{namespace}:{port}/{path}`.
6263									"url"!: string
6264								}
6265
6266								// URLPath is the URL path to be used in the HTTP GET or POST
6267								// request to the
6268								// Kubernetes API server (e.g. "/api/v1/namespaces" or
6269								// "/apis/apps/v1/deployments").
6270								// The format required is the same format used by the `kubectl get
6271								// --raw` command.
6272								// See
6273								// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
6274								// for details.
6275								// It's mutually exclusive with the Service field.
6276								"urlPath"?: string
6277							}
6278
6279							// ConfigMap is the ConfigMap reference.
6280							"configMap"?: {
6281								// Name is the ConfigMap name.
6282								"name"!: string
6283
6284								// Namespace is the ConfigMap namespace.
6285								"namespace"?: string
6286							}
6287
6288							// GlobalContextEntryReference is a reference to a cached global
6289							// context entry.
6290							"globalReference"?: {
6291								// JMESPath is an optional JSON Match Expression that can be used
6292								// to
6293								// transform the JSON response returned from the server. For
6294								// example
6295								// a JMESPath of "items | length(@)" applied to the API server
6296								// response
6297								// for the URLPath "/apis/apps/v1/deployments" will return the
6298								// total count
6299								// of deployments across all namespaces.
6300								"jmesPath"?: string
6301
6302								// Name of the global context entry
6303								"name"!: string
6304							}
6305
6306							// ImageRegistry defines requests to an OCI/Docker V2 registry to
6307							// fetch image
6308							// details.
6309							"imageRegistry"?: {
6310								// ImageRegistryCredentials provides credentials that will be used
6311								// for authentication with registry
6312								"imageRegistryCredentials"?: {
6313									// AllowInsecureRegistry allows insecure access to a registry.
6314									"allowInsecureRegistry"?: bool
6315
6316									// Providers specifies a list of OCI Registry names, whose
6317									// authentication providers are provided.
6318									// It can be of one of these values:
6319									// default,google,azure,amazon,github.
6320									"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
6321
6322									// Secrets specifies a list of secrets that are provided for
6323									// credentials.
6324									// Secrets must live in the Kyverno namespace.
6325									"secrets"?: [...string]
6326								}
6327
6328								// JMESPath is an optional JSON Match Expression that can be used
6329								// to
6330								// transform the ImageData struct returned as a result of
6331								// processing
6332								// the image reference.
6333								"jmesPath"?: string
6334
6335								// Reference is image reference to a container image in the
6336								// registry.
6337								// Example: ghcr.io/kyverno/kyverno:latest
6338								"reference"!: string
6339							}
6340
6341							// Name is the variable name.
6342							"name"!: string
6343
6344							// Variable defines an arbitrary JMESPath context variable that
6345							// can be defined inline.
6346							"variable"?: {
6347								// Default is an optional arbitrary JSON object that the variable
6348								// may take if the JMESPath
6349								// expression evaluates to nil
6350								"default"?: null | bool | number | string | [...] | {
6351									...
6352								}
6353
6354								// JMESPath is an optional JMESPath Expression that can be used to
6355								// transform the variable.
6356								"jmesPath"?: string
6357
6358								// Value is any arbitrary JSON object representable in YAML or
6359								// JSON form.
6360								"value"?: null | bool | number | string | [...] | {
6361									...
6362								}
6363							}
6364						}]
6365
6366						// Kind specifies resource kind.
6367						"kind"?: string
6368
6369						// Name specifies the resource name.
6370						"name"?: string
6371
6372						// Namespace specifies resource namespace.
6373						"namespace"?: string
6374
6375						// Preconditions are used to determine if a policy rule should be
6376						// applied by evaluating a
6377						// set of conditions. The declaration can contain nested `any` or
6378						// `all` statements. A direct list
6379						// of conditions (without `any` or `all` statements is supported
6380						// for backwards compatibility but
6381						// will be deprecated in the next major release.
6382						// See: https://kyverno.io/docs/writing-policies/preconditions/
6383						"preconditions"?: null | bool | number | string | [...] | {
6384							...
6385						}
6386
6387						// Selector allows you to select target resources with their
6388						// labels.
6389						"selector"?: {
6390							// matchExpressions is a list of label selector requirements. The
6391							// requirements are ANDed.
6392							"matchExpressions"?: [...{
6393								// key is the label key that the selector applies to.
6394								"key"!: string
6395
6396								// operator represents a key's relationship to a set of values.
6397								// Valid operators are In, NotIn, Exists and DoesNotExist.
6398								"operator"!: string
6399
6400								// values is an array of string values. If the operator is In or
6401								// NotIn,
6402								// the values array must be non-empty. If the operator is Exists
6403								// or DoesNotExist,
6404								// the values array must be empty. This array is replaced during a
6405								// strategic
6406								// merge patch.
6407								"values"?: [...string]
6408							}]
6409
6410							// matchLabels is a map of {key,value} pairs. A single {key,value}
6411							// in the matchLabels
6412							// map is equivalent to an element of matchExpressions, whose key
6413							// field is "key", the
6414							// operator is "In", and the values array contains only "value".
6415							// The requirements are ANDed.
6416							"matchLabels"?: {
6417								[string]: string
6418							}
6419						}
6420
6421						// UID specifies the resource uid.
6422						"uid"?: string
6423					}]
6424				}
6425
6426				// Name is a label to identify the rule, It must be unique within
6427				// the policy.
6428				"name"!: strings.MaxRunes(
6429						63)
6430
6431				// Preconditions are used to determine if a policy rule should be
6432				// applied by evaluating a
6433				// set of conditions. The declaration can contain nested `any` or
6434				// `all` statements. A direct list
6435				// of conditions (without `any` or `all` statements is supported
6436				// for backwards compatibility but
6437				// will be deprecated in the next major release.
6438				// See: https://kyverno.io/docs/writing-policies/preconditions/
6439				"preconditions"?: null | bool | number | string | [...] | {
6440					...
6441				}
6442
6443				// ReportProperties are the additional properties from the rule
6444				// that will be added to the policy report result
6445				"reportProperties"?: {
6446					[string]: string
6447				}
6448
6449				// SkipBackgroundRequests bypasses admission requests that are
6450				// sent by the background controller.
6451				// The default value is set to "true", it must be set to "false"
6452				// to apply
6453				// generate and mutateExisting rules to those requests.
6454				"skipBackgroundRequests"?: bool
6455
6456				// Validation is used to validate matching resources.
6457				"validate"?: {
6458					// AllowExistingViolations allows prexisting violating resources
6459					// to continue violating a policy.
6460					"allowExistingViolations"?: bool
6461
6462					// AnyPattern specifies list of validation patterns. At least one
6463					// of the patterns
6464					// must be satisfied for the validation rule to succeed.
6465					"anyPattern"?: null | bool | number | string | [...] | {
6466						...
6467					}
6468
6469					// Assert defines a kyverno-json assertion tree.
6470					"assert"?: {
6471						...
6472					}
6473
6474					// CEL allows validation checks using the Common Expression
6475					// Language
6476					// (https://kubernetes.io/docs/reference/using-api/cel/).
6477					"cel"?: {
6478						// AuditAnnotations contains CEL expressions which are used to
6479						// produce audit annotations for the audit event of the API
6480						// request.
6481						"auditAnnotations"?: [...{
6482							// key specifies the audit annotation key. The audit annotation
6483							// keys of
6484							// a ValidatingAdmissionPolicy must be unique. The key must be a
6485							// qualified
6486							// name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in
6487							// length.
6488							//
6489							// The key is combined with the resource name of the
6490							// ValidatingAdmissionPolicy to construct an audit annotation key:
6491							// "{ValidatingAdmissionPolicy name}/{key}".
6492							//
6493							// If an admission webhook uses the same resource name as this
6494							// ValidatingAdmissionPolicy
6495							// and the same audit annotation key, the annotation key will be
6496							// identical.
6497							// In this case, the first annotation written with the key will be
6498							// included
6499							// in the audit event and all subsequent annotations with the same
6500							// key
6501							// will be discarded.
6502							//
6503							// Required.
6504							"key"!: string
6505
6506							// valueExpression represents the expression which is evaluated by
6507							// CEL to
6508							// produce an audit annotation value. The expression must evaluate
6509							// to either
6510							// a string or null value. If the expression evaluates to a
6511							// string, the
6512							// audit annotation is included with the string value. If the
6513							// expression
6514							// evaluates to null or empty string the audit annotation will be
6515							// omitted.
6516							// The valueExpression may be no longer than 5kb in length.
6517							// If the result of the valueExpression is more than 10kb in
6518							// length, it
6519							// will be truncated to 10kb.
6520							//
6521							// If multiple ValidatingAdmissionPolicyBinding resources match an
6522							// API request, then the valueExpression will be evaluated for
6523							// each binding. All unique values produced by the
6524							// valueExpressions
6525							// will be joined together in a comma-separated list.
6526							//
6527							// Required.
6528							"valueExpression"!: string
6529						}]
6530
6531						// Expressions is a list of CELExpression types.
6532						"expressions"?: [...{
6533							// Expression represents the expression which will be evaluated by
6534							// CEL.
6535							// ref: https://github.com/google/cel-spec
6536							// CEL expressions have access to the contents of the API
6537							// request/response, organized into CEL variables as well as some
6538							// other useful variables:
6539							//
6540							// - 'object' - The object from the incoming request. The value is
6541							// null for DELETE requests.
6542							// - 'oldObject' - The existing object. The value is null for
6543							// CREATE requests.
6544							// - 'request' - Attributes of the API
6545							// request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
6546							// - 'params' - Parameter resource referred to by the policy
6547							// binding being evaluated. Only populated if the policy has a
6548							// ParamKind.
6549							// - 'namespaceObject' - The namespace object that the incoming
6550							// object belongs to. The value is null for cluster-scoped
6551							// resources.
6552							// - 'variables' - Map of composited variables, from its name to
6553							// its lazily evaluated value.
6554							// For example, a variable named 'foo' can be accessed as
6555							// 'variables.foo'.
6556							// - 'authorizer' - A CEL Authorizer. May be used to perform
6557							// authorization checks for the principal (user or service
6558							// account) of the request.
6559							// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
6560							// - 'authorizer.requestResource' - A CEL ResourceCheck
6561							// constructed from the 'authorizer' and configured with the
6562							// request resource.
6563							//
6564							// The `apiVersion`, `kind`, `metadata.name` and
6565							// `metadata.generateName` are always accessible from the root of
6566							// the
6567							// object. No other metadata properties are accessible.
6568							//
6569							// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
6570							// are accessible.
6571							// Accessible property names are escaped according to the
6572							// following rules when accessed in the expression:
6573							// - '__' escapes to '__underscores__'
6574							// - '.' escapes to '__dot__'
6575							// - '-' escapes to '__dash__'
6576							// - '/' escapes to '__slash__'
6577							// - Property names that exactly match a CEL RESERVED keyword
6578							// escape to '__{keyword}__'. The keywords are:
6579							// "true", "false", "null", "in", "as", "break", "const",
6580							// "continue", "else", "for", "function", "if",
6581							// "import", "let", "loop", "package", "namespace", "return".
6582							// Examples:
6583							// - Expression accessing a property named "namespace":
6584							// {"Expression": "object.__namespace__ > 0"}
6585							// - Expression accessing a property named "x-prop":
6586							// {"Expression": "object.x__dash__prop > 0"}
6587							// - Expression accessing a property named "redact__d":
6588							// {"Expression": "object.redact__underscores__d > 0"}
6589							//
6590							// Equality on arrays with list type of 'set' or 'map' ignores
6591							// element order, i.e. [1, 2] == [2, 1].
6592							// Concatenation on arrays with x-kubernetes-list-type use the
6593							// semantics of the list type:
6594							// - 'set': `X + Y` performs a union where the array positions of
6595							// all elements in `X` are preserved and
6596							// non-intersecting elements in `Y` are appended, retaining their
6597							// partial order.
6598							// - 'map': `X + Y` performs a merge where the array positions of
6599							// all keys in `X` are preserved but the values
6600							// are overwritten by values in `Y` when the key sets of `X` and
6601							// `Y` intersect. Elements in `Y` with
6602							// non-intersecting keys are appended, retaining their partial
6603							// order.
6604							// Required.
6605							"expression"!: string
6606
6607							// Message represents the message displayed when validation fails.
6608							// The message is required if the Expression contains
6609							// line breaks. The message must not contain line breaks.
6610							// If unset, the message is "failed rule: {Rule}".
6611							// e.g. "must be a URL with the host matching spec.host"
6612							// If the Expression contains line breaks. Message is required.
6613							// The message must not contain line breaks.
6614							// If unset, the message is "failed Expression: {Expression}".
6615							"message"?: string
6616
6617							// messageExpression declares a CEL expression that evaluates to
6618							// the validation failure message that is returned when this rule
6619							// fails.
6620							// Since messageExpression is used as a failure message, it must
6621							// evaluate to a string.
6622							// If both message and messageExpression are present on a
6623							// validation, then messageExpression will be used if validation
6624							// fails.
6625							// If messageExpression results in a runtime error, the runtime
6626							// error is logged, and the validation failure message is
6627							// produced
6628							// as if the messageExpression field were unset. If
6629							// messageExpression evaluates to an empty string, a string with
6630							// only spaces, or a string
6631							// that contains line breaks, then the validation failure message
6632							// will also be produced as if the messageExpression field were
6633							// unset, and
6634							// the fact that messageExpression produced an empty string/string
6635							// with only spaces/string with line breaks will be logged.
6636							// messageExpression has access to all the same variables as the
6637							// `expression` except for 'authorizer' and
6638							// 'authorizer.requestResource'.
6639							// Example:
6640							// "object.x must be less than max ("+string(params.max)+")"
6641							"messageExpression"?: string
6642
6643							// Reason represents a machine-readable description of why this
6644							// validation failed.
6645							// If this is the first validation in the list to fail, this
6646							// reason, as well as the
6647							// corresponding HTTP response code, are used in the
6648							// HTTP response to the client.
6649							// The currently supported reasons are: "Unauthorized",
6650							// "Forbidden", "Invalid", "RequestEntityTooLarge".
6651							// If not set, StatusReasonInvalid is used in the response to the
6652							// client.
6653							"reason"?: string
6654						}]
6655
6656						// ParamKind is a tuple of Group Kind and Version.
6657						"paramKind"?: {
6658							// APIVersion is the API group version the resources belong to.
6659							// In format of "group/version".
6660							// Required.
6661							"apiVersion"?: string
6662
6663							// Kind is the API kind the resources belong to.
6664							// Required.
6665							"kind"?: string
6666						}
6667
6668						// ParamRef references a parameter resource.
6669						"paramRef"?: {
6670							// name is the name of the resource being referenced.
6671							//
6672							// One of `name` or `selector` must be set, but `name` and
6673							// `selector` are
6674							// mutually exclusive properties. If one is set, the other must be
6675							// unset.
6676							//
6677							// A single parameter used for all admission requests can be
6678							// configured
6679							// by setting the `name` field, leaving `selector` blank, and
6680							// setting namespace
6681							// if `paramKind` is namespace-scoped.
6682							"name"?: string
6683
6684							// namespace is the namespace of the referenced resource. Allows
6685							// limiting
6686							// the search for params to a specific namespace. Applies to both
6687							// `name` and
6688							// `selector` fields.
6689							//
6690							// A per-namespace parameter may be used by specifying a
6691							// namespace-scoped
6692							// `paramKind` in the policy and leaving this field empty.
6693							//
6694							// - If `paramKind` is cluster-scoped, this field MUST be unset.
6695							// Setting this
6696							// field results in a configuration error.
6697							//
6698							// - If `paramKind` is namespace-scoped, the namespace of the
6699							// object being
6700							// evaluated for admission will be used when this field is left
6701							// unset. Take
6702							// care that if this is left empty the binding must not match any
6703							// cluster-scoped
6704							// resources, which will result in an error.
6705							"namespace"?: string
6706
6707							// `parameterNotFoundAction` controls the behavior of the binding
6708							// when the resource
6709							// exists, and name or selector is valid, but there are no
6710							// parameters
6711							// matched by the binding. If the value is set to `Allow`, then no
6712							// matched parameters will be treated as successful validation by
6713							// the binding.
6714							// If set to `Deny`, then no matched parameters will be subject to
6715							// the
6716							// `failurePolicy` of the policy.
6717							//
6718							// Allowed values are `Allow` or `Deny`
6719							//
6720							// Required
6721							"parameterNotFoundAction"?: string
6722
6723							// selector can be used to match multiple param objects based on
6724							// their labels.
6725							// Supply selector: {} to match all resources of the ParamKind.
6726							//
6727							// If multiple params are found, they are all evaluated with the
6728							// policy expressions
6729							// and the results are ANDed together.
6730							//
6731							// One of `name` or `selector` must be set, but `name` and
6732							// `selector` are
6733							// mutually exclusive properties. If one is set, the other must be
6734							// unset.
6735							"selector"?: {
6736								// matchExpressions is a list of label selector requirements. The
6737								// requirements are ANDed.
6738								"matchExpressions"?: [...{
6739									// key is the label key that the selector applies to.
6740									"key"!: string
6741
6742									// operator represents a key's relationship to a set of values.
6743									// Valid operators are In, NotIn, Exists and DoesNotExist.
6744									"operator"!: string
6745
6746									// values is an array of string values. If the operator is In or
6747									// NotIn,
6748									// the values array must be non-empty. If the operator is Exists
6749									// or DoesNotExist,
6750									// the values array must be empty. This array is replaced during a
6751									// strategic
6752									// merge patch.
6753									"values"?: [...string]
6754								}]
6755
6756								// matchLabels is a map of {key,value} pairs. A single {key,value}
6757								// in the matchLabels
6758								// map is equivalent to an element of matchExpressions, whose key
6759								// field is "key", the
6760								// operator is "In", and the values array contains only "value".
6761								// The requirements are ANDed.
6762								"matchLabels"?: {
6763									[string]: string
6764								}
6765							}
6766						}
6767
6768						// Variables contain definitions of variables that can be used in
6769						// composition of other expressions.
6770						// Each variable is defined as a named CEL expression.
6771						// The variables defined here will be available under `variables`
6772						// in other expressions of the policy.
6773						"variables"?: [...{
6774							// Expression is the expression that will be evaluated as the
6775							// value of the variable.
6776							// The CEL expression has access to the same identifiers as the
6777							// CEL expressions in Validation.
6778							"expression"!: string
6779
6780							// Name is the name of the variable. The name must be a valid CEL
6781							// identifier and unique among all variables.
6782							// The variable can be accessed in other expressions through
6783							// `variables`
6784							// For example, if name is "foo", the variable will be available
6785							// as `variables.foo`
6786							"name"!: string
6787						}]
6788					}
6789
6790					// Deny defines conditions used to pass or fail a validation rule.
6791					"deny"?: {
6792						// Multiple conditions can be declared under an `any` or `all`
6793						// statement. A direct list
6794						// of conditions (without `any` or `all` statements) is also
6795						// supported for backwards compatibility
6796						// but will be deprecated in the next major release.
6797						// See:
6798						// https://kyverno.io/docs/writing-policies/validate/#deny-rules
6799						"conditions"?: null | bool | number | string | [...] | {
6800							...
6801						}
6802					}
6803
6804					// FailureAction defines if a validation policy rule violation
6805					// should block
6806					// the admission review request (Enforce), or allow (Audit) the
6807					// admission review request
6808					// and report an error in a policy report. Optional.
6809					// Allowed values are Audit or Enforce.
6810					"failureAction"?: "Audit" | "Enforce"
6811
6812					// FailureActionOverrides is a Cluster Policy attribute that
6813					// specifies FailureAction
6814					// namespace-wise. It overrides FailureAction for the specified
6815					// namespaces.
6816					"failureActionOverrides"?: [...{
6817						// ValidationFailureAction defines the policy validation failure
6818						// action
6819						"action"?: "audit" | "enforce" | "Audit" | "Enforce"
6820
6821						// A label selector is a label query over a set of resources. The
6822						// result of matchLabels and
6823						// matchExpressions are ANDed. An empty label selector matches all
6824						// objects. A null
6825						// label selector matches no objects.
6826						"namespaceSelector"?: {
6827							// matchExpressions is a list of label selector requirements. The
6828							// requirements are ANDed.
6829							"matchExpressions"?: [...{
6830								// key is the label key that the selector applies to.
6831								"key"!: string
6832
6833								// operator represents a key's relationship to a set of values.
6834								// Valid operators are In, NotIn, Exists and DoesNotExist.
6835								"operator"!: string
6836
6837								// values is an array of string values. If the operator is In or
6838								// NotIn,
6839								// the values array must be non-empty. If the operator is Exists
6840								// or DoesNotExist,
6841								// the values array must be empty. This array is replaced during a
6842								// strategic
6843								// merge patch.
6844								"values"?: [...string]
6845							}]
6846
6847							// matchLabels is a map of {key,value} pairs. A single {key,value}
6848							// in the matchLabels
6849							// map is equivalent to an element of matchExpressions, whose key
6850							// field is "key", the
6851							// operator is "In", and the values array contains only "value".
6852							// The requirements are ANDed.
6853							"matchLabels"?: {
6854								[string]: string
6855							}
6856						}
6857						"namespaces"?: [...string]
6858					}]
6859
6860					// ForEach applies validate rules to a list of sub-elements by
6861					// creating a context for each entry in the list and looping over
6862					// it to apply the specified logic.
6863					"foreach"?: [...{
6864						// AnyPattern specifies list of validation patterns. At least one
6865						// of the patterns
6866						// must be satisfied for the validation rule to succeed.
6867						"anyPattern"?: null | bool | number | string | [...] | {
6868							...
6869						}
6870
6871						// Context defines variables and data sources that can be used
6872						// during rule execution.
6873						"context"?: [...matchN(1, [{
6874							"configMap"!: _
6875						}, {
6876							"apiCall"!: _
6877						}, {
6878							"imageRegistry"!: _
6879						}, {
6880							"variable"!: _
6881						}, {
6882							"globalReference"!: _
6883						}]) & {
6884							// APICall is an HTTP request to the Kubernetes API server, or
6885							// other JSON web service.
6886							// The data returned is stored in the context with the name for
6887							// the context entry.
6888							"apiCall"?: {
6889								// The data object specifies the POST data sent to the server.
6890								// Only applicable when the method field is set to POST.
6891								"data"?: [...{
6892									// Key is a unique identifier for the data value
6893									"key"!: string
6894
6895									// Value is the data value
6896									"value"!: null | bool | number | string | [...] | {
6897										...
6898									}
6899								}]
6900
6901								// Default is an optional arbitrary JSON object that the context
6902								// value is set to, if the apiCall returns error.
6903								"default"?: null | bool | number | string | [...] | {
6904									...
6905								}
6906
6907								// JMESPath is an optional JSON Match Expression that can be used
6908								// to
6909								// transform the JSON response returned from the server. For
6910								// example
6911								// a JMESPath of "items | length(@)" applied to the API server
6912								// response
6913								// for the URLPath "/apis/apps/v1/deployments" will return the
6914								// total count
6915								// of deployments across all namespaces.
6916								"jmesPath"?: string
6917
6918								// Method is the HTTP request type (GET or POST). Defaults to GET.
6919								"method"?: "GET" | "POST"
6920
6921								// Service is an API call to a JSON web service.
6922								// This is used for non-Kubernetes API server calls.
6923								// It's mutually exclusive with the URLPath field.
6924								"service"?: {
6925									// CABundle is a PEM encoded CA bundle which will be used to
6926									// validate
6927									// the server certificate.
6928									"caBundle"?: string
6929
6930									// Headers is a list of optional HTTP headers to be included in
6931									// the request.
6932									"headers"?: [...{
6933										// Key is the header key
6934										"key"!: string
6935
6936										// Value is the header value
6937										"value"!: string
6938									}]
6939
6940									// URL is the JSON web service URL. A typical form is
6941									// `https://{service}.{namespace}:{port}/{path}`.
6942									"url"!: string
6943								}
6944
6945								// URLPath is the URL path to be used in the HTTP GET or POST
6946								// request to the
6947								// Kubernetes API server (e.g. "/api/v1/namespaces" or
6948								// "/apis/apps/v1/deployments").
6949								// The format required is the same format used by the `kubectl get
6950								// --raw` command.
6951								// See
6952								// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
6953								// for details.
6954								// It's mutually exclusive with the Service field.
6955								"urlPath"?: string
6956							}
6957
6958							// ConfigMap is the ConfigMap reference.
6959							"configMap"?: {
6960								// Name is the ConfigMap name.
6961								"name"!: string
6962
6963								// Namespace is the ConfigMap namespace.
6964								"namespace"?: string
6965							}
6966
6967							// GlobalContextEntryReference is a reference to a cached global
6968							// context entry.
6969							"globalReference"?: {
6970								// JMESPath is an optional JSON Match Expression that can be used
6971								// to
6972								// transform the JSON response returned from the server. For
6973								// example
6974								// a JMESPath of "items | length(@)" applied to the API server
6975								// response
6976								// for the URLPath "/apis/apps/v1/deployments" will return the
6977								// total count
6978								// of deployments across all namespaces.
6979								"jmesPath"?: string
6980
6981								// Name of the global context entry
6982								"name"!: string
6983							}
6984
6985							// ImageRegistry defines requests to an OCI/Docker V2 registry to
6986							// fetch image
6987							// details.
6988							"imageRegistry"?: {
6989								// ImageRegistryCredentials provides credentials that will be used
6990								// for authentication with registry
6991								"imageRegistryCredentials"?: {
6992									// AllowInsecureRegistry allows insecure access to a registry.
6993									"allowInsecureRegistry"?: bool
6994
6995									// Providers specifies a list of OCI Registry names, whose
6996									// authentication providers are provided.
6997									// It can be of one of these values:
6998									// default,google,azure,amazon,github.
6999									"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
7000
7001									// Secrets specifies a list of secrets that are provided for
7002									// credentials.
7003									// Secrets must live in the Kyverno namespace.
7004									"secrets"?: [...string]
7005								}
7006
7007								// JMESPath is an optional JSON Match Expression that can be used
7008								// to
7009								// transform the ImageData struct returned as a result of
7010								// processing
7011								// the image reference.
7012								"jmesPath"?: string
7013
7014								// Reference is image reference to a container image in the
7015								// registry.
7016								// Example: ghcr.io/kyverno/kyverno:latest
7017								"reference"!: string
7018							}
7019
7020							// Name is the variable name.
7021							"name"!: string
7022
7023							// Variable defines an arbitrary JMESPath context variable that
7024							// can be defined inline.
7025							"variable"?: {
7026								// Default is an optional arbitrary JSON object that the variable
7027								// may take if the JMESPath
7028								// expression evaluates to nil
7029								"default"?: null | bool | number | string | [...] | {
7030									...
7031								}
7032
7033								// JMESPath is an optional JMESPath Expression that can be used to
7034								// transform the variable.
7035								"jmesPath"?: string
7036
7037								// Value is any arbitrary JSON object representable in YAML or
7038								// JSON form.
7039								"value"?: null | bool | number | string | [...] | {
7040									...
7041								}
7042							}
7043						}]
7044
7045						// Deny defines conditions used to pass or fail a validation rule.
7046						"deny"?: {
7047							// Multiple conditions can be declared under an `any` or `all`
7048							// statement. A direct list
7049							// of conditions (without `any` or `all` statements) is also
7050							// supported for backwards compatibility
7051							// but will be deprecated in the next major release.
7052							// See:
7053							// https://kyverno.io/docs/writing-policies/validate/#deny-rules
7054							"conditions"?: null | bool | number | string | [...] | {
7055								...
7056							}
7057						}
7058
7059						// ElementScope specifies whether to use the current list element
7060						// as the scope for validation. Defaults to "true" if not
7061						// specified.
7062						// When set to "false", "request.object" is used as the validation
7063						// scope within the foreach
7064						// block to allow referencing other elements in the subtree.
7065						"elementScope"?: bool
7066
7067						// Foreach declares a nested foreach iterator
7068						"foreach"?: null | bool | number | string | [...] | {
7069							...
7070						}
7071
7072						// List specifies a JMESPath expression that results in one or
7073						// more elements
7074						// to which the validation logic is applied.
7075						"list"?: string
7076
7077						// Pattern specifies an overlay-style pattern used to check
7078						// resources.
7079						"pattern"?: null | bool | number | string | [...] | {
7080							...
7081						}
7082
7083						// AnyAllConditions are used to determine if a policy rule should
7084						// be applied by evaluating a
7085						// set of conditions. The declaration can contain nested `any` or
7086						// `all` statements.
7087						// See: https://kyverno.io/docs/writing-policies/preconditions/
7088						"preconditions"?: {
7089							// AllConditions enable variable-based conditional rule execution.
7090							// This is useful for
7091							// finer control of when an rule is applied. A condition can
7092							// reference object data
7093							// using JMESPath notation.
7094							// Here, all of the conditions need to pass
7095							"all"?: [...{
7096								// Key is the context entry (using JMESPath) for conditional rule
7097								// evaluation.
7098								"key"?: null | bool | number | string | [...] | {
7099									...
7100								}
7101
7102								// Message is an optional display message
7103								"message"?: string
7104
7105								// Operator is the conditional operation to perform. Valid
7106								// operators are:
7107								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
7108								// GreaterThanOrEquals,
7109								// GreaterThan, LessThanOrEquals, LessThan,
7110								// DurationGreaterThanOrEquals, DurationGreaterThan,
7111								// DurationLessThanOrEquals, DurationLessThan
7112								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
7113
7114								// Value is the conditional value, or set of values. The values
7115								// can be fixed set
7116								// or can be variables declared using JMESPath.
7117								"value"?: null | bool | number | string | [...] | {
7118									...
7119								}
7120							}]
7121
7122							// AnyConditions enable variable-based conditional rule execution.
7123							// This is useful for
7124							// finer control of when an rule is applied. A condition can
7125							// reference object data
7126							// using JMESPath notation.
7127							// Here, at least one of the conditions need to pass
7128							"any"?: [...{
7129								// Key is the context entry (using JMESPath) for conditional rule
7130								// evaluation.
7131								"key"?: null | bool | number | string | [...] | {
7132									...
7133								}
7134
7135								// Message is an optional display message
7136								"message"?: string
7137
7138								// Operator is the conditional operation to perform. Valid
7139								// operators are:
7140								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
7141								// GreaterThanOrEquals,
7142								// GreaterThan, LessThanOrEquals, LessThan,
7143								// DurationGreaterThanOrEquals, DurationGreaterThan,
7144								// DurationLessThanOrEquals, DurationLessThan
7145								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
7146
7147								// Value is the conditional value, or set of values. The values
7148								// can be fixed set
7149								// or can be variables declared using JMESPath.
7150								"value"?: null | bool | number | string | [...] | {
7151									...
7152								}
7153							}]
7154							...
7155						}
7156					}]
7157
7158					// Manifest specifies conditions for manifest verification
7159					"manifests"?: {
7160						// AnnotationDomain is custom domain of annotation for message and
7161						// signature. Default is "cosign.sigstore.dev".
7162						"annotationDomain"?: string
7163
7164						// Attestors specified the required attestors (i.e. authorities)
7165						"attestors"?: [...{
7166							// Count specifies the required number of entries that must match.
7167							// If the count is null, all entries must match
7168							// (a logical AND). If the count is 1, at least one entry must
7169							// match (a logical OR). If the count contains a
7170							// value N, then N must be less than or equal to the size of
7171							// entries, and at least N entries must match.
7172							"count"?: int & >=1
7173
7174							// Entries contains the available attestors. An attestor can be a
7175							// static key,
7176							// attributes for keyless verification, or a nested attestor
7177							// declaration.
7178							"entries"?: [...{
7179								// Annotations are used for image verification.
7180								// Every specified key-value pair must exist and match in the
7181								// verified payload.
7182								// The payload may contain other key-value pairs.
7183								"annotations"?: [string]: string
7184
7185								// Attestor is a nested set of Attestor used to specify a more
7186								// complex set of match authorities.
7187								"attestor"?: null | bool | number | string | [...] | {
7188									...
7189								}
7190
7191								// Certificates specifies one or more certificates.
7192								"certificates"?: {
7193									// Cert is an optional PEM-encoded public certificate.
7194									"cert"?: string
7195
7196									// CertChain is an optional PEM encoded set of certificates used
7197									// to verify.
7198									"certChain"?: string
7199
7200									// CTLog (certificate timestamp log) provides a configuration for
7201									// validation of Signed Certificate
7202									// Timestamps (SCTs). If the value is unset, the default behavior
7203									// by Cosign is used.
7204									"ctlog"?: {
7205										// IgnoreSCT defines whether to use the Signed Certificate
7206										// Timestamp (SCT) log to check for a certificate
7207										// timestamp. Default is false. Set to true if this was opted out
7208										// during signing.
7209										"ignoreSCT"?: bool
7210
7211										// PubKey, if set, is used to validate SCTs against a custom
7212										// source.
7213										"pubkey"?: string
7214
7215										// TSACertChain, if set, is the PEM-encoded certificate chain file
7216										// for the RFC3161 timestamp authority. Must
7217										// contain the root CA certificate. Optionally may contain
7218										// intermediate CA certificates, and
7219										// may contain the leaf TSA certificate if not present in the
7220										// timestamurce.
7221										"tsaCertChain"?: string
7222									}
7223
7224									// Rekor provides configuration for the Rekor transparency log
7225									// service. If an empty object
7226									// is provided the public instance of Rekor
7227									// (https://rekor.sigstore.dev) is used.
7228									"rekor"?: {
7229										// IgnoreTlog skips transparency log verification.
7230										"ignoreTlog"?: bool
7231
7232										// RekorPubKey is an optional PEM-encoded public key to use for a
7233										// custom Rekor.
7234										// If set, this will be used to validate transparency log
7235										// signatures from a custom Rekor.
7236										"pubkey"?: string
7237
7238										// URL is the address of the transparency log. Defaults to the
7239										// public Rekor log instance https://rekor.sigstore.dev.
7240										"url"?: string
7241									}
7242								}
7243
7244								// Keyless is a set of attribute used to verify a Sigstore keyless
7245								// attestor.
7246								// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
7247								"keyless"?: {
7248									// AdditionalExtensions are certificate-extensions used for
7249									// keyless signing.
7250									"additionalExtensions"?: [string]: string
7251
7252									// CTLog (certificate timestamp log) provides a configuration for
7253									// validation of Signed Certificate
7254									// Timestamps (SCTs). If the value is unset, the default behavior
7255									// by Cosign is used.
7256									"ctlog"?: {
7257										// IgnoreSCT defines whether to use the Signed Certificate
7258										// Timestamp (SCT) log to check for a certificate
7259										// timestamp. Default is false. Set to true if this was opted out
7260										// during signing.
7261										"ignoreSCT"?: bool
7262
7263										// PubKey, if set, is used to validate SCTs against a custom
7264										// source.
7265										"pubkey"?: string
7266
7267										// TSACertChain, if set, is the PEM-encoded certificate chain file
7268										// for the RFC3161 timestamp authority. Must
7269										// contain the root CA certificate. Optionally may contain
7270										// intermediate CA certificates, and
7271										// may contain the leaf TSA certificate if not present in the
7272										// timestamurce.
7273										"tsaCertChain"?: string
7274									}
7275
7276									// Issuer is the certificate issuer used for keyless signing.
7277									"issuer"?: string
7278
7279									// IssuerRegExp is the regular expression to match certificate
7280									// issuer used for keyless signing.
7281									"issuerRegExp"?: string
7282
7283									// Rekor provides configuration for the Rekor transparency log
7284									// service. If an empty object
7285									// is provided the public instance of Rekor
7286									// (https://rekor.sigstore.dev) is used.
7287									"rekor"?: {
7288										// IgnoreTlog skips transparency log verification.
7289										"ignoreTlog"?: bool
7290
7291										// RekorPubKey is an optional PEM-encoded public key to use for a
7292										// custom Rekor.
7293										// If set, this will be used to validate transparency log
7294										// signatures from a custom Rekor.
7295										"pubkey"?: string
7296
7297										// URL is the address of the transparency log. Defaults to the
7298										// public Rekor log instance https://rekor.sigstore.dev.
7299										"url"?: string
7300									}
7301
7302									// Roots is an optional set of PEM encoded trusted root
7303									// certificates.
7304									// If not provided, the system roots are used.
7305									"roots"?: string
7306
7307									// Subject is the verified identity used for keyless signing, for
7308									// example the email address.
7309									"subject"?: string
7310
7311									// SubjectRegExp is the regular expression to match identity used
7312									// for keyless signing, for example the email address.
7313									"subjectRegExp"?: string
7314								}
7315
7316								// Keys specifies one or more public keys.
7317								"keys"?: {
7318									// CTLog (certificate timestamp log) provides a configuration for
7319									// validation of Signed Certificate
7320									// Timestamps (SCTs). If the value is unset, the default behavior
7321									// by Cosign is used.
7322									"ctlog"?: {
7323										// IgnoreSCT defines whether to use the Signed Certificate
7324										// Timestamp (SCT) log to check for a certificate
7325										// timestamp. Default is false. Set to true if this was opted out
7326										// during signing.
7327										"ignoreSCT"?: bool
7328
7329										// PubKey, if set, is used to validate SCTs against a custom
7330										// source.
7331										"pubkey"?: string
7332
7333										// TSACertChain, if set, is the PEM-encoded certificate chain file
7334										// for the RFC3161 timestamp authority. Must
7335										// contain the root CA certificate. Optionally may contain
7336										// intermediate CA certificates, and
7337										// may contain the leaf TSA certificate if not present in the
7338										// timestamurce.
7339										"tsaCertChain"?: string
7340									}
7341
7342									// KMS provides the URI to the public key stored in a Key
7343									// Management System. See:
7344									// https://github.com/sigstore/cosign/blob/main/KMS.md
7345									"kms"?: string
7346
7347									// Keys is a set of X.509 public keys used to verify image
7348									// signatures. The keys can be directly
7349									// specified or can be a variable reference to a key specified in
7350									// a ConfigMap (see
7351									// https://kyverno.io/docs/writing-policies/variables/), or
7352									// reference a standard Kubernetes Secret
7353									// elsewhere in the cluster by specifying it in the format
7354									// "k8s://<namespace>/<secret_name>".
7355									// The named Secret must specify a key `cosign.pub` containing the
7356									// public key used for
7357									// verification, (see
7358									// https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
7359									// When multiple keys are specified each key is processed as a
7360									// separate staticKey entry
7361									// (.attestors[*].entries.keys) within the set of attestors and
7362									// the count is applied across the keys.
7363									"publicKeys"?: string
7364
7365									// Rekor provides configuration for the Rekor transparency log
7366									// service. If an empty object
7367									// is provided the public instance of Rekor
7368									// (https://rekor.sigstore.dev) is used.
7369									"rekor"?: {
7370										// IgnoreTlog skips transparency log verification.
7371										"ignoreTlog"?: bool
7372
7373										// RekorPubKey is an optional PEM-encoded public key to use for a
7374										// custom Rekor.
7375										// If set, this will be used to validate transparency log
7376										// signatures from a custom Rekor.
7377										"pubkey"?: string
7378
7379										// URL is the address of the transparency log. Defaults to the
7380										// public Rekor log instance https://rekor.sigstore.dev.
7381										"url"?: string
7382									}
7383
7384									// Reference to a Secret resource that contains a public key
7385									"secret"?: {
7386										// Name of the secret. The provided secret must contain a key
7387										// named cosign.pub.
7388										"name"!: string
7389
7390										// Namespace name where the Secret exists.
7391										"namespace"!: string
7392									}
7393
7394									// Deprecated. Use attestor.signatureAlgorithm instead.
7395									"signatureAlgorithm"?: string
7396								}
7397
7398								// Repository is an optional alternate OCI repository to use for
7399								// signatures and attestations that match this rule.
7400								// If specified Repository will override other OCI image
7401								// repository locations for this Attestor.
7402								"repository"?: string
7403
7404								// Specify signature algorithm for public keys. Supported values
7405								// are sha224, sha256, sha384 and sha512.
7406								"signatureAlgorithm"?: string
7407							}]
7408						}]
7409
7410						// DryRun configuration
7411						"dryRun"?: {
7412							"enable"?:    bool
7413							"namespace"?: string
7414						}
7415
7416						// Fields which will be ignored while comparing manifests.
7417						"ignoreFields"?: [...{
7418							"fields"?: [...string]
7419							"objects"?: [...{
7420								"group"?:     string
7421								"kind"?:      string
7422								"name"?:      string
7423								"namespace"?: string
7424								"version"?:   string
7425							}]
7426						}]
7427
7428						// Repository is an optional alternate OCI repository to use for
7429						// resource bundle reference.
7430						// The repository can be overridden per Attestor or Attestation.
7431						"repository"?: string
7432					}
7433
7434					// Message specifies a custom message to be displayed on failure.
7435					"message"?: string
7436
7437					// Pattern specifies an overlay-style pattern used to check
7438					// resources.
7439					"pattern"?: null | bool | number | string | [...] | {
7440						...
7441					}
7442
7443					// PodSecurity applies exemptions for Kubernetes Pod Security
7444					// admission
7445					// by specifying exclusions for Pod Security Standards controls.
7446					"podSecurity"?: {
7447						// Exclude specifies the Pod Security Standard controls to be
7448						// excluded.
7449						"exclude"?: [...{
7450							// ControlName specifies the name of the Pod Security Standard
7451							// control.
7452							// See:
7453							// https://kubernetes.io/docs/concepts/security/pod-security-standards/
7454							"controlName"!: "HostProcess" | "Host Namespaces" | "Privileged Containers" | "Capabilities" | "HostPath Volumes" | "Host Ports" | "AppArmor" | "SELinux" | "/proc Mount Type" | "Seccomp" | "Sysctls" | "Volume Types" | "Privilege Escalation" | "Running as Non-root" | "Running as Non-root user"
7455
7456							// Images selects matching containers and applies the container
7457							// level PSS.
7458							// Each image is the image name consisting of the registry
7459							// address, repository, image, and tag.
7460							// Empty list matches no containers, PSS checks are applied at the
7461							// pod level only.
7462							// Wildcards ('*' and '?') are allowed. See:
7463							// https://kubernetes.io/docs/concepts/containers/images.
7464							"images"?: [...string]
7465
7466							// RestrictedField selects the field for the given Pod Security
7467							// Standard control.
7468							// When not set, all restricted fields for the control are
7469							// selected.
7470							"restrictedField"?: string
7471
7472							// Values defines the allowed values that can be excluded.
7473							"values"?: [...string]
7474						}]
7475
7476						// Level defines the Pod Security Standard level to be applied to
7477						// workloads.
7478						// Allowed values are privileged, baseline, and restricted.
7479						"level"?: "privileged" | "baseline" | "restricted"
7480
7481						// Version defines the Pod Security Standard versions that
7482						// Kubernetes supports.
7483						// Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
7484						// v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
7485						"version"?: "v1.19" | "v1.20" | "v1.21" | "v1.22" | "v1.23" | "v1.24" | "v1.25" | "v1.26" | "v1.27" | "v1.28" | "v1.29" | "latest"
7486					}
7487				}
7488
7489				// VerifyImages is used to verify image signatures and mutate them
7490				// to add a digest
7491				"verifyImages"?: [...{
7492					// Deprecated.
7493					"additionalExtensions"?: [string]: string
7494
7495					// Deprecated. Use annotations per Attestor instead.
7496					"annotations"?: {
7497						[string]: string
7498					}
7499
7500					// Attestations are optional checks for signed in-toto Statements
7501					// used to verify the image.
7502					// See https://github.com/in-toto/attestation. Kyverno fetches
7503					// signed attestations from the
7504					// OCI registry and decodes them into a list of Statement
7505					// declarations.
7506					"attestations"?: [...{
7507						// Attestors specify the required attestors (i.e. authorities).
7508						"attestors"?: [...{
7509							// Count specifies the required number of entries that must match.
7510							// If the count is null, all entries must match
7511							// (a logical AND). If the count is 1, at least one entry must
7512							// match (a logical OR). If the count contains a
7513							// value N, then N must be less than or equal to the size of
7514							// entries, and at least N entries must match.
7515							"count"?: int & >=1
7516
7517							// Entries contains the available attestors. An attestor can be a
7518							// static key,
7519							// attributes for keyless verification, or a nested attestor
7520							// declaration.
7521							"entries"?: [...{
7522								// Annotations are used for image verification.
7523								// Every specified key-value pair must exist and match in the
7524								// verified payload.
7525								// The payload may contain other key-value pairs.
7526								"annotations"?: [string]: string
7527
7528								// Attestor is a nested set of Attestor used to specify a more
7529								// complex set of match authorities.
7530								"attestor"?: null | bool | number | string | [...] | {
7531									...
7532								}
7533
7534								// Certificates specifies one or more certificates.
7535								"certificates"?: {
7536									// Cert is an optional PEM-encoded public certificate.
7537									"cert"?: string
7538
7539									// CertChain is an optional PEM encoded set of certificates used
7540									// to verify.
7541									"certChain"?: string
7542
7543									// CTLog (certificate timestamp log) provides a configuration for
7544									// validation of Signed Certificate
7545									// Timestamps (SCTs). If the value is unset, the default behavior
7546									// by Cosign is used.
7547									"ctlog"?: {
7548										// IgnoreSCT defines whether to use the Signed Certificate
7549										// Timestamp (SCT) log to check for a certificate
7550										// timestamp. Default is false. Set to true if this was opted out
7551										// during signing.
7552										"ignoreSCT"?: bool
7553
7554										// PubKey, if set, is used to validate SCTs against a custom
7555										// source.
7556										"pubkey"?: string
7557
7558										// TSACertChain, if set, is the PEM-encoded certificate chain file
7559										// for the RFC3161 timestamp authority. Must
7560										// contain the root CA certificate. Optionally may contain
7561										// intermediate CA certificates, and
7562										// may contain the leaf TSA certificate if not present in the
7563										// timestamurce.
7564										"tsaCertChain"?: string
7565									}
7566
7567									// Rekor provides configuration for the Rekor transparency log
7568									// service. If an empty object
7569									// is provided the public instance of Rekor
7570									// (https://rekor.sigstore.dev) is used.
7571									"rekor"?: {
7572										// IgnoreTlog skips transparency log verification.
7573										"ignoreTlog"?: bool
7574
7575										// RekorPubKey is an optional PEM-encoded public key to use for a
7576										// custom Rekor.
7577										// If set, this will be used to validate transparency log
7578										// signatures from a custom Rekor.
7579										"pubkey"?: string
7580
7581										// URL is the address of the transparency log. Defaults to the
7582										// public Rekor log instance https://rekor.sigstore.dev.
7583										"url"?: string
7584									}
7585								}
7586
7587								// Keyless is a set of attribute used to verify a Sigstore keyless
7588								// attestor.
7589								// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
7590								"keyless"?: {
7591									// AdditionalExtensions are certificate-extensions used for
7592									// keyless signing.
7593									"additionalExtensions"?: [string]: string
7594
7595									// CTLog (certificate timestamp log) provides a configuration for
7596									// validation of Signed Certificate
7597									// Timestamps (SCTs). If the value is unset, the default behavior
7598									// by Cosign is used.
7599									"ctlog"?: {
7600										// IgnoreSCT defines whether to use the Signed Certificate
7601										// Timestamp (SCT) log to check for a certificate
7602										// timestamp. Default is false. Set to true if this was opted out
7603										// during signing.
7604										"ignoreSCT"?: bool
7605
7606										// PubKey, if set, is used to validate SCTs against a custom
7607										// source.
7608										"pubkey"?: string
7609
7610										// TSACertChain, if set, is the PEM-encoded certificate chain file
7611										// for the RFC3161 timestamp authority. Must
7612										// contain the root CA certificate. Optionally may contain
7613										// intermediate CA certificates, and
7614										// may contain the leaf TSA certificate if not present in the
7615										// timestamurce.
7616										"tsaCertChain"?: string
7617									}
7618
7619									// Issuer is the certificate issuer used for keyless signing.
7620									"issuer"?: string
7621
7622									// IssuerRegExp is the regular expression to match certificate
7623									// issuer used for keyless signing.
7624									"issuerRegExp"?: string
7625
7626									// Rekor provides configuration for the Rekor transparency log
7627									// service. If an empty object
7628									// is provided the public instance of Rekor
7629									// (https://rekor.sigstore.dev) is used.
7630									"rekor"?: {
7631										// IgnoreTlog skips transparency log verification.
7632										"ignoreTlog"?: bool
7633
7634										// RekorPubKey is an optional PEM-encoded public key to use for a
7635										// custom Rekor.
7636										// If set, this will be used to validate transparency log
7637										// signatures from a custom Rekor.
7638										"pubkey"?: string
7639
7640										// URL is the address of the transparency log. Defaults to the
7641										// public Rekor log instance https://rekor.sigstore.dev.
7642										"url"?: string
7643									}
7644
7645									// Roots is an optional set of PEM encoded trusted root
7646									// certificates.
7647									// If not provided, the system roots are used.
7648									"roots"?: string
7649
7650									// Subject is the verified identity used for keyless signing, for
7651									// example the email address.
7652									"subject"?: string
7653
7654									// SubjectRegExp is the regular expression to match identity used
7655									// for keyless signing, for example the email address.
7656									"subjectRegExp"?: string
7657								}
7658
7659								// Keys specifies one or more public keys.
7660								"keys"?: {
7661									// CTLog (certificate timestamp log) provides a configuration for
7662									// validation of Signed Certificate
7663									// Timestamps (SCTs). If the value is unset, the default behavior
7664									// by Cosign is used.
7665									"ctlog"?: {
7666										// IgnoreSCT defines whether to use the Signed Certificate
7667										// Timestamp (SCT) log to check for a certificate
7668										// timestamp. Default is false. Set to true if this was opted out
7669										// during signing.
7670										"ignoreSCT"?: bool
7671
7672										// PubKey, if set, is used to validate SCTs against a custom
7673										// source.
7674										"pubkey"?: string
7675
7676										// TSACertChain, if set, is the PEM-encoded certificate chain file
7677										// for the RFC3161 timestamp authority. Must
7678										// contain the root CA certificate. Optionally may contain
7679										// intermediate CA certificates, and
7680										// may contain the leaf TSA certificate if not present in the
7681										// timestamurce.
7682										"tsaCertChain"?: string
7683									}
7684
7685									// KMS provides the URI to the public key stored in a Key
7686									// Management System. See:
7687									// https://github.com/sigstore/cosign/blob/main/KMS.md
7688									"kms"?: string
7689
7690									// Keys is a set of X.509 public keys used to verify image
7691									// signatures. The keys can be directly
7692									// specified or can be a variable reference to a key specified in
7693									// a ConfigMap (see
7694									// https://kyverno.io/docs/writing-policies/variables/), or
7695									// reference a standard Kubernetes Secret
7696									// elsewhere in the cluster by specifying it in the format
7697									// "k8s://<namespace>/<secret_name>".
7698									// The named Secret must specify a key `cosign.pub` containing the
7699									// public key used for
7700									// verification, (see
7701									// https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
7702									// When multiple keys are specified each key is processed as a
7703									// separate staticKey entry
7704									// (.attestors[*].entries.keys) within the set of attestors and
7705									// the count is applied across the keys.
7706									"publicKeys"?: string
7707
7708									// Rekor provides configuration for the Rekor transparency log
7709									// service. If an empty object
7710									// is provided the public instance of Rekor
7711									// (https://rekor.sigstore.dev) is used.
7712									"rekor"?: {
7713										// IgnoreTlog skips transparency log verification.
7714										"ignoreTlog"?: bool
7715
7716										// RekorPubKey is an optional PEM-encoded public key to use for a
7717										// custom Rekor.
7718										// If set, this will be used to validate transparency log
7719										// signatures from a custom Rekor.
7720										"pubkey"?: string
7721
7722										// URL is the address of the transparency log. Defaults to the
7723										// public Rekor log instance https://rekor.sigstore.dev.
7724										"url"?: string
7725									}
7726
7727									// Reference to a Secret resource that contains a public key
7728									"secret"?: {
7729										// Name of the secret. The provided secret must contain a key
7730										// named cosign.pub.
7731										"name"!: string
7732
7733										// Namespace name where the Secret exists.
7734										"namespace"!: string
7735									}
7736
7737									// Deprecated. Use attestor.signatureAlgorithm instead.
7738									"signatureAlgorithm"?: string
7739								}
7740
7741								// Repository is an optional alternate OCI repository to use for
7742								// signatures and attestations that match this rule.
7743								// If specified Repository will override other OCI image
7744								// repository locations for this Attestor.
7745								"repository"?: string
7746
7747								// Specify signature algorithm for public keys. Supported values
7748								// are sha224, sha256, sha384 and sha512.
7749								"signatureAlgorithm"?: string
7750							}]
7751						}]
7752
7753						// Conditions are used to verify attributes within a Predicate. If
7754						// no Conditions are specified
7755						// the attestation check is satisfied as long there are predicates
7756						// that match the predicate type.
7757						"conditions"?: [...{
7758							// AllConditions enable variable-based conditional rule execution.
7759							// This is useful for
7760							// finer control of when an rule is applied. A condition can
7761							// reference object data
7762							// using JMESPath notation.
7763							// Here, all of the conditions need to pass
7764							"all"?: [...{
7765								// Key is the context entry (using JMESPath) for conditional rule
7766								// evaluation.
7767								"key"?: null | bool | number | string | [...] | {
7768									...
7769								}
7770
7771								// Message is an optional display message
7772								"message"?: string
7773
7774								// Operator is the conditional operation to perform. Valid
7775								// operators are:
7776								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
7777								// GreaterThanOrEquals,
7778								// GreaterThan, LessThanOrEquals, LessThan,
7779								// DurationGreaterThanOrEquals, DurationGreaterThan,
7780								// DurationLessThanOrEquals, DurationLessThan
7781								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
7782
7783								// Value is the conditional value, or set of values. The values
7784								// can be fixed set
7785								// or can be variables declared using JMESPath.
7786								"value"?: null | bool | number | string | [...] | {
7787									...
7788								}
7789							}]
7790
7791							// AnyConditions enable variable-based conditional rule execution.
7792							// This is useful for
7793							// finer control of when an rule is applied. A condition can
7794							// reference object data
7795							// using JMESPath notation.
7796							// Here, at least one of the conditions need to pass
7797							"any"?: [...{
7798								// Key is the context entry (using JMESPath) for conditional rule
7799								// evaluation.
7800								"key"?: null | bool | number | string | [...] | {
7801									...
7802								}
7803
7804								// Message is an optional display message
7805								"message"?: string
7806
7807								// Operator is the conditional operation to perform. Valid
7808								// operators are:
7809								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
7810								// GreaterThanOrEquals,
7811								// GreaterThan, LessThanOrEquals, LessThan,
7812								// DurationGreaterThanOrEquals, DurationGreaterThan,
7813								// DurationLessThanOrEquals, DurationLessThan
7814								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
7815
7816								// Value is the conditional value, or set of values. The values
7817								// can be fixed set
7818								// or can be variables declared using JMESPath.
7819								"value"?: null | bool | number | string | [...] | {
7820									...
7821								}
7822							}]
7823						}]
7824
7825						// Name is the variable name.
7826						"name"?: string
7827
7828						// Deprecated in favour of 'Type', to be removed soon
7829						"predicateType"?: string
7830
7831						// Type defines the type of attestation contained within the
7832						// Statement.
7833						"type"?: string
7834					}]
7835
7836					// Attestors specified the required attestors (i.e. authorities)
7837					"attestors"?: [...{
7838						// Count specifies the required number of entries that must match.
7839						// If the count is null, all entries must match
7840						// (a logical AND). If the count is 1, at least one entry must
7841						// match (a logical OR). If the count contains a
7842						// value N, then N must be less than or equal to the size of
7843						// entries, and at least N entries must match.
7844						"count"?: int & >=1
7845
7846						// Entries contains the available attestors. An attestor can be a
7847						// static key,
7848						// attributes for keyless verification, or a nested attestor
7849						// declaration.
7850						"entries"?: [...{
7851							// Annotations are used for image verification.
7852							// Every specified key-value pair must exist and match in the
7853							// verified payload.
7854							// The payload may contain other key-value pairs.
7855							"annotations"?: [string]: string
7856
7857							// Attestor is a nested set of Attestor used to specify a more
7858							// complex set of match authorities.
7859							"attestor"?: null | bool | number | string | [...] | {
7860								...
7861							}
7862
7863							// Certificates specifies one or more certificates.
7864							"certificates"?: {
7865								// Cert is an optional PEM-encoded public certificate.
7866								"cert"?: string
7867
7868								// CertChain is an optional PEM encoded set of certificates used
7869								// to verify.
7870								"certChain"?: string
7871
7872								// CTLog (certificate timestamp log) provides a configuration for
7873								// validation of Signed Certificate
7874								// Timestamps (SCTs). If the value is unset, the default behavior
7875								// by Cosign is used.
7876								"ctlog"?: {
7877									// IgnoreSCT defines whether to use the Signed Certificate
7878									// Timestamp (SCT) log to check for a certificate
7879									// timestamp. Default is false. Set to true if this was opted out
7880									// during signing.
7881									"ignoreSCT"?: bool
7882
7883									// PubKey, if set, is used to validate SCTs against a custom
7884									// source.
7885									"pubkey"?: string
7886
7887									// TSACertChain, if set, is the PEM-encoded certificate chain file
7888									// for the RFC3161 timestamp authority. Must
7889									// contain the root CA certificate. Optionally may contain
7890									// intermediate CA certificates, and
7891									// may contain the leaf TSA certificate if not present in the
7892									// timestamurce.
7893									"tsaCertChain"?: string
7894								}
7895
7896								// Rekor provides configuration for the Rekor transparency log
7897								// service. If an empty object
7898								// is provided the public instance of Rekor
7899								// (https://rekor.sigstore.dev) is used.
7900								"rekor"?: {
7901									// IgnoreTlog skips transparency log verification.
7902									"ignoreTlog"?: bool
7903
7904									// RekorPubKey is an optional PEM-encoded public key to use for a
7905									// custom Rekor.
7906									// If set, this will be used to validate transparency log
7907									// signatures from a custom Rekor.
7908									"pubkey"?: string
7909
7910									// URL is the address of the transparency log. Defaults to the
7911									// public Rekor log instance https://rekor.sigstore.dev.
7912									"url"?: string
7913								}
7914							}
7915
7916							// Keyless is a set of attribute used to verify a Sigstore keyless
7917							// attestor.
7918							// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
7919							"keyless"?: {
7920								// AdditionalExtensions are certificate-extensions used for
7921								// keyless signing.
7922								"additionalExtensions"?: [string]: string
7923
7924								// CTLog (certificate timestamp log) provides a configuration for
7925								// validation of Signed Certificate
7926								// Timestamps (SCTs). If the value is unset, the default behavior
7927								// by Cosign is used.
7928								"ctlog"?: {
7929									// IgnoreSCT defines whether to use the Signed Certificate
7930									// Timestamp (SCT) log to check for a certificate
7931									// timestamp. Default is false. Set to true if this was opted out
7932									// during signing.
7933									"ignoreSCT"?: bool
7934
7935									// PubKey, if set, is used to validate SCTs against a custom
7936									// source.
7937									"pubkey"?: string
7938
7939									// TSACertChain, if set, is the PEM-encoded certificate chain file
7940									// for the RFC3161 timestamp authority. Must
7941									// contain the root CA certificate. Optionally may contain
7942									// intermediate CA certificates, and
7943									// may contain the leaf TSA certificate if not present in the
7944									// timestamurce.
7945									"tsaCertChain"?: string
7946								}
7947
7948								// Issuer is the certificate issuer used for keyless signing.
7949								"issuer"?: string
7950
7951								// IssuerRegExp is the regular expression to match certificate
7952								// issuer used for keyless signing.
7953								"issuerRegExp"?: string
7954
7955								// Rekor provides configuration for the Rekor transparency log
7956								// service. If an empty object
7957								// is provided the public instance of Rekor
7958								// (https://rekor.sigstore.dev) is used.
7959								"rekor"?: {
7960									// IgnoreTlog skips transparency log verification.
7961									"ignoreTlog"?: bool
7962
7963									// RekorPubKey is an optional PEM-encoded public key to use for a
7964									// custom Rekor.
7965									// If set, this will be used to validate transparency log
7966									// signatures from a custom Rekor.
7967									"pubkey"?: string
7968
7969									// URL is the address of the transparency log. Defaults to the
7970									// public Rekor log instance https://rekor.sigstore.dev.
7971									"url"?: string
7972								}
7973
7974								// Roots is an optional set of PEM encoded trusted root
7975								// certificates.
7976								// If not provided, the system roots are used.
7977								"roots"?: string
7978
7979								// Subject is the verified identity used for keyless signing, for
7980								// example the email address.
7981								"subject"?: string
7982
7983								// SubjectRegExp is the regular expression to match identity used
7984								// for keyless signing, for example the email address.
7985								"subjectRegExp"?: string
7986							}
7987
7988							// Keys specifies one or more public keys.
7989							"keys"?: {
7990								// CTLog (certificate timestamp log) provides a configuration for
7991								// validation of Signed Certificate
7992								// Timestamps (SCTs). If the value is unset, the default behavior
7993								// by Cosign is used.
7994								"ctlog"?: {
7995									// IgnoreSCT defines whether to use the Signed Certificate
7996									// Timestamp (SCT) log to check for a certificate
7997									// timestamp. Default is false. Set to true if this was opted out
7998									// during signing.
7999									"ignoreSCT"?: bool
8000
8001									// PubKey, if set, is used to validate SCTs against a custom
8002									// source.
8003									"pubkey"?: string
8004
8005									// TSACertChain, if set, is the PEM-encoded certificate chain file
8006									// for the RFC3161 timestamp authority. Must
8007									// contain the root CA certificate. Optionally may contain
8008									// intermediate CA certificates, and
8009									// may contain the leaf TSA certificate if not present in the
8010									// timestamurce.
8011									"tsaCertChain"?: string
8012								}
8013
8014								// KMS provides the URI to the public key stored in a Key
8015								// Management System. See:
8016								// https://github.com/sigstore/cosign/blob/main/KMS.md
8017								"kms"?: string
8018
8019								// Keys is a set of X.509 public keys used to verify image
8020								// signatures. The keys can be directly
8021								// specified or can be a variable reference to a key specified in
8022								// a ConfigMap (see
8023								// https://kyverno.io/docs/writing-policies/variables/), or
8024								// reference a standard Kubernetes Secret
8025								// elsewhere in the cluster by specifying it in the format
8026								// "k8s://<namespace>/<secret_name>".
8027								// The named Secret must specify a key `cosign.pub` containing the
8028								// public key used for
8029								// verification, (see
8030								// https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
8031								// When multiple keys are specified each key is processed as a
8032								// separate staticKey entry
8033								// (.attestors[*].entries.keys) within the set of attestors and
8034								// the count is applied across the keys.
8035								"publicKeys"?: string
8036
8037								// Rekor provides configuration for the Rekor transparency log
8038								// service. If an empty object
8039								// is provided the public instance of Rekor
8040								// (https://rekor.sigstore.dev) is used.
8041								"rekor"?: {
8042									// IgnoreTlog skips transparency log verification.
8043									"ignoreTlog"?: bool
8044
8045									// RekorPubKey is an optional PEM-encoded public key to use for a
8046									// custom Rekor.
8047									// If set, this will be used to validate transparency log
8048									// signatures from a custom Rekor.
8049									"pubkey"?: string
8050
8051									// URL is the address of the transparency log. Defaults to the
8052									// public Rekor log instance https://rekor.sigstore.dev.
8053									"url"?: string
8054								}
8055
8056								// Reference to a Secret resource that contains a public key
8057								"secret"?: {
8058									// Name of the secret. The provided secret must contain a key
8059									// named cosign.pub.
8060									"name"!: string
8061
8062									// Namespace name where the Secret exists.
8063									"namespace"!: string
8064								}
8065
8066								// Deprecated. Use attestor.signatureAlgorithm instead.
8067								"signatureAlgorithm"?: string
8068							}
8069
8070							// Repository is an optional alternate OCI repository to use for
8071							// signatures and attestations that match this rule.
8072							// If specified Repository will override other OCI image
8073							// repository locations for this Attestor.
8074							"repository"?: string
8075
8076							// Specify signature algorithm for public keys. Supported values
8077							// are sha224, sha256, sha384 and sha512.
8078							"signatureAlgorithm"?: string
8079						}]
8080					}]
8081
8082					// CosignOCI11 enables the experimental OCI 1.1 behaviour in
8083					// cosign image verification.
8084					// Defaults to false.
8085					"cosignOCI11"?: bool
8086
8087					// Allowed values are Audit or Enforce.
8088					"failureAction"?: "Audit" | "Enforce"
8089
8090					// Deprecated. Use ImageReferences instead.
8091					"image"?: string
8092
8093					// ImageReferences is a list of matching image reference patterns.
8094					// At least one pattern in the
8095					// list must match the image for the rule to apply. Each image
8096					// reference consists of a registry
8097					// address (defaults to docker.io), repository, image, and tag
8098					// (defaults to latest).
8099					// Wildcards ('*' and '?') are allowed. See:
8100					// https://kubernetes.io/docs/concepts/containers/images.
8101					"imageReferences"?: [...string]
8102
8103					// ImageRegistryCredentials provides credentials that will be used
8104					// for authentication with registry.
8105					"imageRegistryCredentials"?: {
8106						// AllowInsecureRegistry allows insecure access to a registry.
8107						"allowInsecureRegistry"?: bool
8108
8109						// Providers specifies a list of OCI Registry names, whose
8110						// authentication providers are provided.
8111						// It can be of one of these values:
8112						// default,google,azure,amazon,github.
8113						"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
8114
8115						// Secrets specifies a list of secrets that are provided for
8116						// credentials.
8117						// Secrets must live in the Kyverno namespace.
8118						"secrets"?: [...string]
8119					}
8120
8121					// Deprecated. Use KeylessAttestor instead.
8122					"issuer"?: string
8123
8124					// Deprecated. Use StaticKeyAttestor instead.
8125					"key"?: string
8126
8127					// MutateDigest enables replacement of image tags with digests.
8128					// Defaults to true.
8129					"mutateDigest"?: bool
8130
8131					// Repository is an optional alternate OCI repository to use for
8132					// image signatures and attestations that match this rule.
8133					// If specified Repository will override the default OCI image
8134					// repository configured for the installation.
8135					// The repository can also be overridden per Attestor or
8136					// Attestation.
8137					"repository"?: string
8138
8139					// Required validates that images are verified i.e. have matched
8140					// passed a signature or attestation check.
8141					"required"?: bool
8142
8143					// Deprecated. Use KeylessAttestor instead.
8144					"roots"?: string
8145
8146					// SkipImageReferences is a list of matching image reference
8147					// patterns that should be skipped.
8148					// At least one pattern in the list must match the image for the
8149					// rule to be skipped. Each image reference
8150					// consists of a registry address (defaults to docker.io),
8151					// repository, image, and tag (defaults to latest).
8152					// Wildcards ('*' and '?') are allowed. See:
8153					// https://kubernetes.io/docs/concepts/containers/images.
8154					"skipImageReferences"?: [...string]
8155
8156					// Deprecated. Use KeylessAttestor instead.
8157					"subject"?: string
8158
8159					// Type specifies the method of signature validation. The allowed
8160					// options
8161					// are Cosign, Sigstore Bundle and Notary. By default Cosign is
8162					// used if a type is not specified.
8163					"type"?: "Cosign" | "SigstoreBundle" | "Notary"
8164
8165					// UseCache enables caching of image verify responses for this
8166					// rule.
8167					"useCache"?: bool
8168
8169					// Validation checks conditions across multiple image
8170					// verification attestations or context entries
8171					"validate"?: {
8172						// Deny defines conditions used to pass or fail a validation rule.
8173						"deny"?: {
8174							// Multiple conditions can be declared under an `any` or `all`
8175							// statement. A direct list
8176							// of conditions (without `any` or `all` statements) is also
8177							// supported for backwards compatibility
8178							// but will be deprecated in the next major release.
8179							// See:
8180							// https://kyverno.io/docs/writing-policies/validate/#deny-rules
8181							"conditions"?: null | bool | number | string | [...] | {
8182								...
8183							}
8184						}
8185
8186						// Message specifies a custom message to be displayed on failure.
8187						"message"?: string
8188					}
8189
8190					// VerifyDigest validates that images have a digest.
8191					"verifyDigest"?: bool
8192				}]
8193			}]
8194		}
8195		"conditions"?: [...{
8196			// lastTransitionTime is the last time the condition transitioned
8197			// from one status to another.
8198			// This should be when the underlying condition changed. If that
8199			// is not known, then using the time when the API field changed
8200			// is acceptable.
8201			"lastTransitionTime"!: time.Time
8202
8203			// message is a human readable message indicating details about
8204			// the transition.
8205			// This may be an empty string.
8206			"message"!: strings.MaxRunes(
8207					32768)
8208
8209			// observedGeneration represents the .metadata.generation that the
8210			// condition was set based upon.
8211			// For instance, if .metadata.generation is currently 12, but the
8212			// .status.conditions[x].observedGeneration is 9, the condition
8213			// is out of date
8214			// with respect to the current state of the instance.
8215			"observedGeneration"?: int64 & int & >=0
8216
8217			// reason contains a programmatic identifier indicating the reason
8218			// for the condition's last transition.
8219			// Producers of specific condition types may define expected
8220			// values and meanings for this field,
8221			// and whether the values are considered a guaranteed API.
8222			// The value should be a CamelCase string.
8223			// This field may not be empty.
8224			"reason"!: strings.MaxRunes(
8225					1024) & strings.MinRunes(
8226					1) & =~"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"
8227
8228			// status of the condition, one of True, False, Unknown.
8229			"status"!: "True" | "False" | "Unknown"
8230
8231			// type of condition in CamelCase or in foo.example.com/CamelCase.
8232			"type"!: strings.MaxRunes(
8233					316) & =~"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"
8234		}]
8235
8236		// Deprecated in favor of Conditions
8237		"ready"?: bool
8238
8239		// RuleCountStatus contains four variables which describes counts
8240		// for
8241		// validate, generate, mutate and verify images rules
8242		"rulecount"?: {
8243			// Count for generate rules in policy
8244			"generate"!: int
8245
8246			// Count for mutate rules in policy
8247			"mutate"!: int
8248
8249			// Count for validate rules in policy
8250			"validate"!: int
8251
8252			// Count for verify image rules in policy
8253			"verifyimages"!: int
8254		}
8255
8256		// ValidatingAdmissionPolicy contains status information
8257		"validatingadmissionpolicy"?: {
8258			// Generated indicates whether a validating admission policy is
8259			// generated from the policy or not
8260			"generated"!: bool
8261
8262			// Message is a human readable message indicating details about
8263			// the generation of validating admission policy
8264			// It is an empty string when validating admission policy is
8265			// successfully generated.
8266			"message"!: string
8267		}
8268	}
8269
8270	_embeddedResource: {
8271		"apiVersion"!: string
8272		"kind"!:       string
8273		"metadata"?: {
8274			...
8275		}
8276	}
8277	apiVersion: "kyverno.io/v1"
8278	kind:       "Policy"
8279	metadata!: {
8280		"name"!:      string
8281		"namespace"!: string
8282		"labels"?: {
8283			[string]: string
8284		}
8285		"annotations"?: {
8286			[string]: string
8287		}
8288		...
8289	}
8290}