cue.dev/x/kyverno@v0.4.0

policy/v2beta1/schema.cue raw

   1package v2beta1
   2
   3import (
   4	"strings"
   5	"time"
   6)
   7
   8// Policy declares validation, mutation, and generation behaviors
   9// for matching resources.
  10// See: https://kyverno.io/docs/writing-policies/ for more
  11// information.
  12#Policy: {
  13	_embeddedResource
  14
  15	// APIVersion defines the versioned schema of this representation
  16	// of an object.
  17	// Servers should convert recognized schemas to the latest
  18	// internal value, and
  19	// may reject unrecognized values.
  20	// More info:
  21	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  22	"apiVersion"?: string
  23
  24	// Kind is a string value representing the REST resource this
  25	// object represents.
  26	// Servers may infer this from the endpoint the client submits
  27	// requests to.
  28	// Cannot be updated.
  29	// In CamelCase.
  30	// More info:
  31	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  32	"kind"?: string
  33	"metadata"?: {}
  34
  35	// Spec defines policy behaviors and contains one or more rules.
  36	"spec"!: {
  37		// Admission controls if rules are applied during admission.
  38		// Optional. Default value is "true".
  39		"admission"?: bool
  40
  41		// ApplyRules controls how rules in a policy are applied. Rule are
  42		// processed in
  43		// the order of declaration. When set to `One` processing stops
  44		// after a rule has
  45		// been applied i.e. the rule matches and results in a pass, fail,
  46		// or error. When
  47		// set to `All` all rules in the policy are processed. The default
  48		// is `All`.
  49		"applyRules"?: "All" | "One"
  50
  51		// Background controls if rules are applied to existing resources
  52		// during a background scan.
  53		// Optional. Default value is "true". The value must be set to
  54		// "false" if the policy rule
  55		// uses variables that are only available in the admission review
  56		// request (e.g. user name).
  57		"background"?: bool
  58
  59		// EmitWarning enables API response warnings for mutate policy
  60		// rules or validate policy rules with validationFailureAction
  61		// set to Audit.
  62		// Enabling this option will extend admission request processing
  63		// times. The default value is "false".
  64		"emitWarning"?: bool
  65
  66		// Deprecated, use failurePolicy under the webhookConfiguration
  67		// instead.
  68		"failurePolicy"?: "Ignore" | "Fail"
  69
  70		// Deprecated, use generateExisting under the generate rule
  71		// instead
  72		"generateExisting"?: bool
  73
  74		// Deprecated, use generateExisting instead
  75		"generateExistingOnPolicyUpdate"?: bool
  76
  77		// Deprecated, use mutateExistingOnPolicyUpdate under the mutate
  78		// rule instead
  79		"mutateExistingOnPolicyUpdate"?: bool
  80
  81		// Rules is a list of Rule instances. A Policy contains multiple
  82		// rules and
  83		// each rule can validate, mutate, or generate resources.
  84		"rules"?: [...{
  85			// CELPreconditions are used to determine if a policy rule should
  86			// be applied by evaluating a
  87			// set of CEL conditions. It can only be used with the
  88			// validate.cel subrule
  89			"celPreconditions"?: [...{
  90				// Expression represents the expression which will be evaluated by
  91				// CEL. Must evaluate to bool.
  92				// CEL expressions have access to the contents of the
  93				// AdmissionRequest and Authorizer, organized into CEL variables:
  94				//
  95				// 'object' - The object from the incoming request. The value is
  96				// null for DELETE requests.
  97				// 'oldObject' - The existing object. The value is null for CREATE
  98				// requests.
  99				// 'request' - Attributes of the admission
 100				// request(/pkg/apis/admission/types.go#AdmissionRequest).
 101				// 'authorizer' - A CEL Authorizer. May be used to perform
 102				// authorization checks for the principal (user or service
 103				// account) of the request.
 104				// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
 105				// 'authorizer.requestResource' - A CEL ResourceCheck constructed
 106				// from the 'authorizer' and configured with the
 107				// request resource.
 108				// Documentation on CEL:
 109				// https://kubernetes.io/docs/reference/using-api/cel/
 110				//
 111				// Required.
 112				"expression"!: string
 113
 114				// Name is an identifier for this match condition, used for
 115				// strategic merging of MatchConditions,
 116				// as well as providing an identifier for logging purposes. A good
 117				// name should be descriptive of
 118				// the associated expression.
 119				// Name must be a qualified name consisting of alphanumeric
 120				// characters, '-', '_' or '.', and
 121				// must start and end with an alphanumeric character (e.g.
 122				// 'MyName', or 'my.name', or
 123				// '123-abc', regex used for validation is
 124				// '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
 125				// optional DNS subdomain prefix and '/' (e.g.
 126				// 'example.com/MyName')
 127				//
 128				// Required.
 129				"name"!: string
 130			}]
 131
 132			// Context defines variables and data sources that can be used
 133			// during rule execution.
 134			"context"?: [...matchN(1, [{
 135				"configMap"!: _
 136			}, {
 137				"apiCall"!: _
 138			}, {
 139				"imageRegistry"!: _
 140			}, {
 141				"variable"!: _
 142			}, {
 143				"globalReference"!: _
 144			}]) & {
 145				// APICall is an HTTP request to the Kubernetes API server, or
 146				// other JSON web service.
 147				// The data returned is stored in the context with the name for
 148				// the context entry.
 149				"apiCall"?: {
 150					// The data object specifies the POST data sent to the server.
 151					// Only applicable when the method field is set to POST.
 152					"data"?: [...{
 153						// Key is a unique identifier for the data value
 154						"key"!: string
 155
 156						// Value is the data value
 157						"value"!: null | bool | number | string | [...] | {
 158							...
 159						}
 160					}]
 161
 162					// Default is an optional arbitrary JSON object that the context
 163					// value is set to, if the apiCall returns error.
 164					"default"?: null | bool | number | string | [...] | {
 165						...
 166					}
 167
 168					// JMESPath is an optional JSON Match Expression that can be used
 169					// to
 170					// transform the JSON response returned from the server. For
 171					// example
 172					// a JMESPath of "items | length(@)" applied to the API server
 173					// response
 174					// for the URLPath "/apis/apps/v1/deployments" will return the
 175					// total count
 176					// of deployments across all namespaces.
 177					"jmesPath"?: string
 178
 179					// Method is the HTTP request type (GET or POST). Defaults to GET.
 180					"method"?: "GET" | "POST"
 181
 182					// Service is an API call to a JSON web service.
 183					// This is used for non-Kubernetes API server calls.
 184					// It's mutually exclusive with the URLPath field.
 185					"service"?: {
 186						// CABundle is a PEM encoded CA bundle which will be used to
 187						// validate
 188						// the server certificate.
 189						"caBundle"?: string
 190
 191						// Headers is a list of optional HTTP headers to be included in
 192						// the request.
 193						"headers"?: [...{
 194							// Key is the header key
 195							"key"!: string
 196
 197							// Value is the header value
 198							"value"!: string
 199						}]
 200
 201						// URL is the JSON web service URL. A typical form is
 202						// `https://{service}.{namespace}:{port}/{path}`.
 203						"url"!: string
 204					}
 205
 206					// URLPath is the URL path to be used in the HTTP GET or POST
 207					// request to the
 208					// Kubernetes API server (e.g. "/api/v1/namespaces" or
 209					// "/apis/apps/v1/deployments").
 210					// The format required is the same format used by the `kubectl get
 211					// --raw` command.
 212					// See
 213					// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
 214					// for details.
 215					// It's mutually exclusive with the Service field.
 216					"urlPath"?: string
 217				}
 218
 219				// ConfigMap is the ConfigMap reference.
 220				"configMap"?: {
 221					// Name is the ConfigMap name.
 222					"name"!: string
 223
 224					// Namespace is the ConfigMap namespace.
 225					"namespace"?: string
 226				}
 227
 228				// GlobalContextEntryReference is a reference to a cached global
 229				// context entry.
 230				"globalReference"?: {
 231					// JMESPath is an optional JSON Match Expression that can be used
 232					// to
 233					// transform the JSON response returned from the server. For
 234					// example
 235					// a JMESPath of "items | length(@)" applied to the API server
 236					// response
 237					// for the URLPath "/apis/apps/v1/deployments" will return the
 238					// total count
 239					// of deployments across all namespaces.
 240					"jmesPath"?: string
 241
 242					// Name of the global context entry
 243					"name"!: string
 244				}
 245
 246				// ImageRegistry defines requests to an OCI/Docker V2 registry to
 247				// fetch image
 248				// details.
 249				"imageRegistry"?: {
 250					// ImageRegistryCredentials provides credentials that will be used
 251					// for authentication with registry
 252					"imageRegistryCredentials"?: {
 253						// AllowInsecureRegistry allows insecure access to a registry.
 254						"allowInsecureRegistry"?: bool
 255
 256						// Providers specifies a list of OCI Registry names, whose
 257						// authentication providers are provided.
 258						// It can be of one of these values:
 259						// default,google,azure,amazon,github.
 260						"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
 261
 262						// Secrets specifies a list of secrets that are provided for
 263						// credentials.
 264						// Secrets must live in the Kyverno namespace.
 265						"secrets"?: [...string]
 266					}
 267
 268					// JMESPath is an optional JSON Match Expression that can be used
 269					// to
 270					// transform the ImageData struct returned as a result of
 271					// processing
 272					// the image reference.
 273					"jmesPath"?: string
 274
 275					// Reference is image reference to a container image in the
 276					// registry.
 277					// Example: ghcr.io/kyverno/kyverno:latest
 278					"reference"!: string
 279				}
 280
 281				// Name is the variable name.
 282				"name"!: string
 283
 284				// Variable defines an arbitrary JMESPath context variable that
 285				// can be defined inline.
 286				"variable"?: {
 287					// Default is an optional arbitrary JSON object that the variable
 288					// may take if the JMESPath
 289					// expression evaluates to nil
 290					"default"?: null | bool | number | string | [...] | {
 291						...
 292					}
 293
 294					// JMESPath is an optional JMESPath Expression that can be used to
 295					// transform the variable.
 296					"jmesPath"?: string
 297
 298					// Value is any arbitrary JSON object representable in YAML or
 299					// JSON form.
 300					"value"?: null | bool | number | string | [...] | {
 301						...
 302					}
 303				}
 304			}]
 305
 306			// ExcludeResources defines when this policy rule should not be
 307			// applied. The exclude
 308			// criteria can include resource information (e.g. kind, name,
 309			// namespace, labels)
 310			// and admission review request information like the name or role.
 311			"exclude"?: matchN(0, [null | bool | number | string | [...] | {
 312				"any"!: _
 313				"all"!: _
 314			}]) & {
 315				// All allows specifying resources which will be ANDed
 316				"all"?: [...{
 317					// ClusterRoles is the list of cluster-wide role names for the
 318					// user.
 319					"clusterRoles"?: [...string]
 320
 321					// ResourceDescription contains information about the resource
 322					// being created or modified.
 323					"resources"?: matchN(0, [null | bool | number | string | [...] | {
 324						"name"!:  _
 325						"names"!: _
 326					}]) & {
 327						// Annotations is a map of annotations (key-value pairs of type
 328						// string). Annotation keys
 329						// and values support the wildcard characters "*" (matches zero or
 330						// many characters) and
 331						// "?" (matches at least one character).
 332						"annotations"?: [string]: string
 333
 334						// Kinds is a list of resource kinds.
 335						"kinds"?: [...string]
 336
 337						// Name is the name of the resource. The name supports wildcard
 338						// characters
 339						// "*" (matches zero or many characters) and "?" (at least one
 340						// character).
 341						// NOTE: "Name" is being deprecated in favor of "Names".
 342						"name"?: string
 343
 344						// Names are the names of the resources. Each name supports
 345						// wildcard characters
 346						// "*" (matches zero or many characters) and "?" (at least one
 347						// character).
 348						"names"?: [...string]
 349
 350						// NamespaceSelector is a label selector for the resource
 351						// namespace. Label keys and values
 352						// in `matchLabels` support the wildcard characters `*` (matches
 353						// zero or many characters)
 354						// and `?` (matches one character).Wildcards allows writing label
 355						// selectors like
 356						// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
 357						// any key and value but
 358						// does not match an empty label set.
 359						"namespaceSelector"?: {
 360							// matchExpressions is a list of label selector requirements. The
 361							// requirements are ANDed.
 362							"matchExpressions"?: [...{
 363								// key is the label key that the selector applies to.
 364								"key"!: string
 365
 366								// operator represents a key's relationship to a set of values.
 367								// Valid operators are In, NotIn, Exists and DoesNotExist.
 368								"operator"!: string
 369
 370								// values is an array of string values. If the operator is In or
 371								// NotIn,
 372								// the values array must be non-empty. If the operator is Exists
 373								// or DoesNotExist,
 374								// the values array must be empty. This array is replaced during a
 375								// strategic
 376								// merge patch.
 377								"values"?: [...string]
 378							}]
 379
 380							// matchLabels is a map of {key,value} pairs. A single {key,value}
 381							// in the matchLabels
 382							// map is equivalent to an element of matchExpressions, whose key
 383							// field is "key", the
 384							// operator is "In", and the values array contains only "value".
 385							// The requirements are ANDed.
 386							"matchLabels"?: {
 387								[string]: string
 388							}
 389						}
 390
 391						// Namespaces is a list of namespaces names. Each name supports
 392						// wildcard characters
 393						// "*" (matches zero or many characters) and "?" (at least one
 394						// character).
 395						"namespaces"?: [...string]
 396
 397						// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
 398						// "DELETE"], which are used to match a specific action.
 399						"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
 400
 401						// Selector is a label selector. Label keys and values in
 402						// `matchLabels` support the wildcard
 403						// characters `*` (matches zero or many characters) and `?`
 404						// (matches one character).
 405						// Wildcards allows writing label selectors like
 406						// ["storage.k8s.io/*": "*"]. Note that
 407						// using ["*" : "*"] matches any key and value but does not match
 408						// an empty label set.
 409						"selector"?: {
 410							// matchExpressions is a list of label selector requirements. The
 411							// requirements are ANDed.
 412							"matchExpressions"?: [...{
 413								// key is the label key that the selector applies to.
 414								"key"!: string
 415
 416								// operator represents a key's relationship to a set of values.
 417								// Valid operators are In, NotIn, Exists and DoesNotExist.
 418								"operator"!: string
 419
 420								// values is an array of string values. If the operator is In or
 421								// NotIn,
 422								// the values array must be non-empty. If the operator is Exists
 423								// or DoesNotExist,
 424								// the values array must be empty. This array is replaced during a
 425								// strategic
 426								// merge patch.
 427								"values"?: [...string]
 428							}]
 429
 430							// matchLabels is a map of {key,value} pairs. A single {key,value}
 431							// in the matchLabels
 432							// map is equivalent to an element of matchExpressions, whose key
 433							// field is "key", the
 434							// operator is "In", and the values array contains only "value".
 435							// The requirements are ANDed.
 436							"matchLabels"?: {
 437								[string]: string
 438							}
 439						}
 440					}
 441
 442					// Roles is the list of namespaced role names for the user.
 443					"roles"?: [...string]
 444
 445					// Subjects is the list of subject names like users, user groups,
 446					// and service accounts.
 447					"subjects"?: [...{
 448						// APIGroup holds the API group of the referenced subject.
 449						// Defaults to "" for ServiceAccount subjects.
 450						// Defaults to "rbac.authorization.k8s.io" for User and Group
 451						// subjects.
 452						"apiGroup"?: string
 453
 454						// Kind of object being referenced. Values defined by this API
 455						// group are "User", "Group", and "ServiceAccount".
 456						// If the Authorizer does not recognized the kind value, the
 457						// Authorizer should report an error.
 458						"kind"!: string
 459
 460						// Name of the object being referenced.
 461						"name"!: string
 462
 463						// Namespace of the referenced object. If the object kind is
 464						// non-namespace, such as "User" or "Group", and this value is
 465						// not empty
 466						// the Authorizer should report an error.
 467						"namespace"?: string
 468					}]
 469				}]
 470
 471				// Any allows specifying resources which will be ORed
 472				"any"?: [...{
 473					// ClusterRoles is the list of cluster-wide role names for the
 474					// user.
 475					"clusterRoles"?: [...string]
 476
 477					// ResourceDescription contains information about the resource
 478					// being created or modified.
 479					"resources"?: matchN(0, [null | bool | number | string | [...] | {
 480						"name"!:  _
 481						"names"!: _
 482					}]) & {
 483						// Annotations is a map of annotations (key-value pairs of type
 484						// string). Annotation keys
 485						// and values support the wildcard characters "*" (matches zero or
 486						// many characters) and
 487						// "?" (matches at least one character).
 488						"annotations"?: [string]: string
 489
 490						// Kinds is a list of resource kinds.
 491						"kinds"?: [...string]
 492
 493						// Name is the name of the resource. The name supports wildcard
 494						// characters
 495						// "*" (matches zero or many characters) and "?" (at least one
 496						// character).
 497						// NOTE: "Name" is being deprecated in favor of "Names".
 498						"name"?: string
 499
 500						// Names are the names of the resources. Each name supports
 501						// wildcard characters
 502						// "*" (matches zero or many characters) and "?" (at least one
 503						// character).
 504						"names"?: [...string]
 505
 506						// NamespaceSelector is a label selector for the resource
 507						// namespace. Label keys and values
 508						// in `matchLabels` support the wildcard characters `*` (matches
 509						// zero or many characters)
 510						// and `?` (matches one character).Wildcards allows writing label
 511						// selectors like
 512						// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
 513						// any key and value but
 514						// does not match an empty label set.
 515						"namespaceSelector"?: {
 516							// matchExpressions is a list of label selector requirements. The
 517							// requirements are ANDed.
 518							"matchExpressions"?: [...{
 519								// key is the label key that the selector applies to.
 520								"key"!: string
 521
 522								// operator represents a key's relationship to a set of values.
 523								// Valid operators are In, NotIn, Exists and DoesNotExist.
 524								"operator"!: string
 525
 526								// values is an array of string values. If the operator is In or
 527								// NotIn,
 528								// the values array must be non-empty. If the operator is Exists
 529								// or DoesNotExist,
 530								// the values array must be empty. This array is replaced during a
 531								// strategic
 532								// merge patch.
 533								"values"?: [...string]
 534							}]
 535
 536							// matchLabels is a map of {key,value} pairs. A single {key,value}
 537							// in the matchLabels
 538							// map is equivalent to an element of matchExpressions, whose key
 539							// field is "key", the
 540							// operator is "In", and the values array contains only "value".
 541							// The requirements are ANDed.
 542							"matchLabels"?: {
 543								[string]: string
 544							}
 545						}
 546
 547						// Namespaces is a list of namespaces names. Each name supports
 548						// wildcard characters
 549						// "*" (matches zero or many characters) and "?" (at least one
 550						// character).
 551						"namespaces"?: [...string]
 552
 553						// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
 554						// "DELETE"], which are used to match a specific action.
 555						"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
 556
 557						// Selector is a label selector. Label keys and values in
 558						// `matchLabels` support the wildcard
 559						// characters `*` (matches zero or many characters) and `?`
 560						// (matches one character).
 561						// Wildcards allows writing label selectors like
 562						// ["storage.k8s.io/*": "*"]. Note that
 563						// using ["*" : "*"] matches any key and value but does not match
 564						// an empty label set.
 565						"selector"?: {
 566							// matchExpressions is a list of label selector requirements. The
 567							// requirements are ANDed.
 568							"matchExpressions"?: [...{
 569								// key is the label key that the selector applies to.
 570								"key"!: string
 571
 572								// operator represents a key's relationship to a set of values.
 573								// Valid operators are In, NotIn, Exists and DoesNotExist.
 574								"operator"!: string
 575
 576								// values is an array of string values. If the operator is In or
 577								// NotIn,
 578								// the values array must be non-empty. If the operator is Exists
 579								// or DoesNotExist,
 580								// the values array must be empty. This array is replaced during a
 581								// strategic
 582								// merge patch.
 583								"values"?: [...string]
 584							}]
 585
 586							// matchLabels is a map of {key,value} pairs. A single {key,value}
 587							// in the matchLabels
 588							// map is equivalent to an element of matchExpressions, whose key
 589							// field is "key", the
 590							// operator is "In", and the values array contains only "value".
 591							// The requirements are ANDed.
 592							"matchLabels"?: {
 593								[string]: string
 594							}
 595						}
 596					}
 597
 598					// Roles is the list of namespaced role names for the user.
 599					"roles"?: [...string]
 600
 601					// Subjects is the list of subject names like users, user groups,
 602					// and service accounts.
 603					"subjects"?: [...{
 604						// APIGroup holds the API group of the referenced subject.
 605						// Defaults to "" for ServiceAccount subjects.
 606						// Defaults to "rbac.authorization.k8s.io" for User and Group
 607						// subjects.
 608						"apiGroup"?: string
 609
 610						// Kind of object being referenced. Values defined by this API
 611						// group are "User", "Group", and "ServiceAccount".
 612						// If the Authorizer does not recognized the kind value, the
 613						// Authorizer should report an error.
 614						"kind"!: string
 615
 616						// Name of the object being referenced.
 617						"name"!: string
 618
 619						// Namespace of the referenced object. If the object kind is
 620						// non-namespace, such as "User" or "Group", and this value is
 621						// not empty
 622						// the Authorizer should report an error.
 623						"namespace"?: string
 624					}]
 625				}]
 626			}
 627
 628			// Generation is used to create new resources.
 629			"generate"?: {
 630				// APIVersion specifies resource apiVersion.
 631				"apiVersion"?: string
 632
 633				// Clone specifies the source resource used to populate each
 634				// generated resource.
 635				// At most one of Data or Clone can be specified. If neither are
 636				// provided, the generated
 637				// resource will be created with default data only.
 638				"clone"?: {
 639					// Name specifies name of the resource.
 640					"name"?: string
 641
 642					// Namespace specifies source resource namespace.
 643					"namespace"?: string
 644				}
 645
 646				// CloneList specifies the list of source resource used to
 647				// populate each generated resource.
 648				"cloneList"?: {
 649					// Kinds is a list of resource kinds.
 650					"kinds"?: [...string]
 651
 652					// Namespace specifies source resource namespace.
 653					"namespace"?: string
 654
 655					// Selector is a label selector. Label keys and values in
 656					// `matchLabels`.
 657					// wildcard characters are not supported.
 658					"selector"?: {
 659						// matchExpressions is a list of label selector requirements. The
 660						// requirements are ANDed.
 661						"matchExpressions"?: [...{
 662							// key is the label key that the selector applies to.
 663							"key"!: string
 664
 665							// operator represents a key's relationship to a set of values.
 666							// Valid operators are In, NotIn, Exists and DoesNotExist.
 667							"operator"!: string
 668
 669							// values is an array of string values. If the operator is In or
 670							// NotIn,
 671							// the values array must be non-empty. If the operator is Exists
 672							// or DoesNotExist,
 673							// the values array must be empty. This array is replaced during a
 674							// strategic
 675							// merge patch.
 676							"values"?: [...string]
 677						}]
 678
 679						// matchLabels is a map of {key,value} pairs. A single {key,value}
 680						// in the matchLabels
 681						// map is equivalent to an element of matchExpressions, whose key
 682						// field is "key", the
 683						// operator is "In", and the values array contains only "value".
 684						// The requirements are ANDed.
 685						"matchLabels"?: {
 686							[string]: string
 687						}
 688					}
 689				}
 690
 691				// Data provides the resource declaration used to populate each
 692				// generated resource.
 693				// At most one of Data or Clone must be specified. If neither are
 694				// provided, the generated
 695				// resource will be created with default data only.
 696				"data"?: null | bool | number | string | [...] | {
 697					...
 698				}
 699
 700				// ForEach applies generate rules to a list of sub-elements by
 701				// creating a context for each entry in the list and looping over
 702				// it to apply the specified logic.
 703				"foreach"?: [...{
 704					// APIVersion specifies resource apiVersion.
 705					"apiVersion"?: string
 706
 707					// Clone specifies the source resource used to populate each
 708					// generated resource.
 709					// At most one of Data or Clone can be specified. If neither are
 710					// provided, the generated
 711					// resource will be created with default data only.
 712					"clone"?: {
 713						// Name specifies name of the resource.
 714						"name"?: string
 715
 716						// Namespace specifies source resource namespace.
 717						"namespace"?: string
 718					}
 719
 720					// CloneList specifies the list of source resource used to
 721					// populate each generated resource.
 722					"cloneList"?: {
 723						// Kinds is a list of resource kinds.
 724						"kinds"?: [...string]
 725
 726						// Namespace specifies source resource namespace.
 727						"namespace"?: string
 728
 729						// Selector is a label selector. Label keys and values in
 730						// `matchLabels`.
 731						// wildcard characters are not supported.
 732						"selector"?: {
 733							// matchExpressions is a list of label selector requirements. The
 734							// requirements are ANDed.
 735							"matchExpressions"?: [...{
 736								// key is the label key that the selector applies to.
 737								"key"!: string
 738
 739								// operator represents a key's relationship to a set of values.
 740								// Valid operators are In, NotIn, Exists and DoesNotExist.
 741								"operator"!: string
 742
 743								// values is an array of string values. If the operator is In or
 744								// NotIn,
 745								// the values array must be non-empty. If the operator is Exists
 746								// or DoesNotExist,
 747								// the values array must be empty. This array is replaced during a
 748								// strategic
 749								// merge patch.
 750								"values"?: [...string]
 751							}]
 752
 753							// matchLabels is a map of {key,value} pairs. A single {key,value}
 754							// in the matchLabels
 755							// map is equivalent to an element of matchExpressions, whose key
 756							// field is "key", the
 757							// operator is "In", and the values array contains only "value".
 758							// The requirements are ANDed.
 759							"matchLabels"?: {
 760								[string]: string
 761							}
 762						}
 763					}
 764
 765					// Context defines variables and data sources that can be used
 766					// during rule execution.
 767					"context"?: [...matchN(1, [{
 768						"configMap"!: _
 769					}, {
 770						"apiCall"!: _
 771					}, {
 772						"imageRegistry"!: _
 773					}, {
 774						"variable"!: _
 775					}, {
 776						"globalReference"!: _
 777					}]) & {
 778						// APICall is an HTTP request to the Kubernetes API server, or
 779						// other JSON web service.
 780						// The data returned is stored in the context with the name for
 781						// the context entry.
 782						"apiCall"?: {
 783							// The data object specifies the POST data sent to the server.
 784							// Only applicable when the method field is set to POST.
 785							"data"?: [...{
 786								// Key is a unique identifier for the data value
 787								"key"!: string
 788
 789								// Value is the data value
 790								"value"!: null | bool | number | string | [...] | {
 791									...
 792								}
 793							}]
 794
 795							// Default is an optional arbitrary JSON object that the context
 796							// value is set to, if the apiCall returns error.
 797							"default"?: null | bool | number | string | [...] | {
 798								...
 799							}
 800
 801							// JMESPath is an optional JSON Match Expression that can be used
 802							// to
 803							// transform the JSON response returned from the server. For
 804							// example
 805							// a JMESPath of "items | length(@)" applied to the API server
 806							// response
 807							// for the URLPath "/apis/apps/v1/deployments" will return the
 808							// total count
 809							// of deployments across all namespaces.
 810							"jmesPath"?: string
 811
 812							// Method is the HTTP request type (GET or POST). Defaults to GET.
 813							"method"?: "GET" | "POST"
 814
 815							// Service is an API call to a JSON web service.
 816							// This is used for non-Kubernetes API server calls.
 817							// It's mutually exclusive with the URLPath field.
 818							"service"?: {
 819								// CABundle is a PEM encoded CA bundle which will be used to
 820								// validate
 821								// the server certificate.
 822								"caBundle"?: string
 823
 824								// Headers is a list of optional HTTP headers to be included in
 825								// the request.
 826								"headers"?: [...{
 827									// Key is the header key
 828									"key"!: string
 829
 830									// Value is the header value
 831									"value"!: string
 832								}]
 833
 834								// URL is the JSON web service URL. A typical form is
 835								// `https://{service}.{namespace}:{port}/{path}`.
 836								"url"!: string
 837							}
 838
 839							// URLPath is the URL path to be used in the HTTP GET or POST
 840							// request to the
 841							// Kubernetes API server (e.g. "/api/v1/namespaces" or
 842							// "/apis/apps/v1/deployments").
 843							// The format required is the same format used by the `kubectl get
 844							// --raw` command.
 845							// See
 846							// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
 847							// for details.
 848							// It's mutually exclusive with the Service field.
 849							"urlPath"?: string
 850						}
 851
 852						// ConfigMap is the ConfigMap reference.
 853						"configMap"?: {
 854							// Name is the ConfigMap name.
 855							"name"!: string
 856
 857							// Namespace is the ConfigMap namespace.
 858							"namespace"?: string
 859						}
 860
 861						// GlobalContextEntryReference is a reference to a cached global
 862						// context entry.
 863						"globalReference"?: {
 864							// JMESPath is an optional JSON Match Expression that can be used
 865							// to
 866							// transform the JSON response returned from the server. For
 867							// example
 868							// a JMESPath of "items | length(@)" applied to the API server
 869							// response
 870							// for the URLPath "/apis/apps/v1/deployments" will return the
 871							// total count
 872							// of deployments across all namespaces.
 873							"jmesPath"?: string
 874
 875							// Name of the global context entry
 876							"name"!: string
 877						}
 878
 879						// ImageRegistry defines requests to an OCI/Docker V2 registry to
 880						// fetch image
 881						// details.
 882						"imageRegistry"?: {
 883							// ImageRegistryCredentials provides credentials that will be used
 884							// for authentication with registry
 885							"imageRegistryCredentials"?: {
 886								// AllowInsecureRegistry allows insecure access to a registry.
 887								"allowInsecureRegistry"?: bool
 888
 889								// Providers specifies a list of OCI Registry names, whose
 890								// authentication providers are provided.
 891								// It can be of one of these values:
 892								// default,google,azure,amazon,github.
 893								"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
 894
 895								// Secrets specifies a list of secrets that are provided for
 896								// credentials.
 897								// Secrets must live in the Kyverno namespace.
 898								"secrets"?: [...string]
 899							}
 900
 901							// JMESPath is an optional JSON Match Expression that can be used
 902							// to
 903							// transform the ImageData struct returned as a result of
 904							// processing
 905							// the image reference.
 906							"jmesPath"?: string
 907
 908							// Reference is image reference to a container image in the
 909							// registry.
 910							// Example: ghcr.io/kyverno/kyverno:latest
 911							"reference"!: string
 912						}
 913
 914						// Name is the variable name.
 915						"name"!: string
 916
 917						// Variable defines an arbitrary JMESPath context variable that
 918						// can be defined inline.
 919						"variable"?: {
 920							// Default is an optional arbitrary JSON object that the variable
 921							// may take if the JMESPath
 922							// expression evaluates to nil
 923							"default"?: null | bool | number | string | [...] | {
 924								...
 925							}
 926
 927							// JMESPath is an optional JMESPath Expression that can be used to
 928							// transform the variable.
 929							"jmesPath"?: string
 930
 931							// Value is any arbitrary JSON object representable in YAML or
 932							// JSON form.
 933							"value"?: null | bool | number | string | [...] | {
 934								...
 935							}
 936						}
 937					}]
 938
 939					// Data provides the resource declaration used to populate each
 940					// generated resource.
 941					// At most one of Data or Clone must be specified. If neither are
 942					// provided, the generated
 943					// resource will be created with default data only.
 944					"data"?: null | bool | number | string | [...] | {
 945						...
 946					}
 947
 948					// Kind specifies resource kind.
 949					"kind"?: string
 950
 951					// List specifies a JMESPath expression that results in one or
 952					// more elements
 953					// to which the validation logic is applied.
 954					"list"?: string
 955
 956					// Name specifies the resource name.
 957					"name"?: string
 958
 959					// Namespace specifies resource namespace.
 960					"namespace"?: string
 961
 962					// AnyAllConditions are used to determine if a policy rule should
 963					// be applied by evaluating a
 964					// set of conditions. The declaration can contain nested `any` or
 965					// `all` statements.
 966					// See: https://kyverno.io/docs/writing-policies/preconditions/
 967					"preconditions"?: {
 968						// AllConditions enable variable-based conditional rule execution.
 969						// This is useful for
 970						// finer control of when an rule is applied. A condition can
 971						// reference object data
 972						// using JMESPath notation.
 973						// Here, all of the conditions need to pass
 974						"all"?: [...{
 975							// Key is the context entry (using JMESPath) for conditional rule
 976							// evaluation.
 977							"key"?: null | bool | number | string | [...] | {
 978								...
 979							}
 980
 981							// Message is an optional display message
 982							"message"?: string
 983
 984							// Operator is the conditional operation to perform. Valid
 985							// operators are:
 986							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
 987							// GreaterThanOrEquals,
 988							// GreaterThan, LessThanOrEquals, LessThan,
 989							// DurationGreaterThanOrEquals, DurationGreaterThan,
 990							// DurationLessThanOrEquals, DurationLessThan
 991							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
 992
 993							// Value is the conditional value, or set of values. The values
 994							// can be fixed set
 995							// or can be variables declared using JMESPath.
 996							"value"?: null | bool | number | string | [...] | {
 997								...
 998							}
 999						}]
1000
1001						// AnyConditions enable variable-based conditional rule execution.
1002						// This is useful for
1003						// finer control of when an rule is applied. A condition can
1004						// reference object data
1005						// using JMESPath notation.
1006						// Here, at least one of the conditions need to pass
1007						"any"?: [...{
1008							// Key is the context entry (using JMESPath) for conditional rule
1009							// evaluation.
1010							"key"?: null | bool | number | string | [...] | {
1011								...
1012							}
1013
1014							// Message is an optional display message
1015							"message"?: string
1016
1017							// Operator is the conditional operation to perform. Valid
1018							// operators are:
1019							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
1020							// GreaterThanOrEquals,
1021							// GreaterThan, LessThanOrEquals, LessThan,
1022							// DurationGreaterThanOrEquals, DurationGreaterThan,
1023							// DurationLessThanOrEquals, DurationLessThan
1024							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
1025
1026							// Value is the conditional value, or set of values. The values
1027							// can be fixed set
1028							// or can be variables declared using JMESPath.
1029							"value"?: null | bool | number | string | [...] | {
1030								...
1031							}
1032						}]
1033						...
1034					}
1035
1036					// UID specifies the resource uid.
1037					"uid"?: string
1038				}]
1039
1040				// GenerateExisting controls whether to trigger the rule in
1041				// existing resources
1042				// If is set to "true" the rule will be triggered and applied to
1043				// existing matched resources.
1044				"generateExisting"?: bool
1045
1046				// Kind specifies resource kind.
1047				"kind"?: string
1048
1049				// Name specifies the resource name.
1050				"name"?: string
1051
1052				// Namespace specifies resource namespace.
1053				"namespace"?: string
1054
1055				// OrphanDownstreamOnPolicyDelete controls whether generated
1056				// resources should be deleted when the rule that generated
1057				// them is deleted with synchronization enabled. This option is
1058				// only applicable to generate rules of the data type.
1059				// See
1060				// https://kyverno.io/docs/writing-policies/generate/#data-examples.
1061				// Defaults to "false" if not specified.
1062				"orphanDownstreamOnPolicyDelete"?: bool
1063
1064				// Synchronize controls if generated resources should be kept
1065				// in-sync with their source resource.
1066				// If Synchronize is set to "true" changes to generated resources
1067				// will be overwritten with resource
1068				// data from Data or the resource specified in the Clone
1069				// declaration.
1070				// Optional. Defaults to "false" if not specified.
1071				"synchronize"?: bool
1072
1073				// UID specifies the resource uid.
1074				"uid"?: string
1075			}
1076
1077			// ImageExtractors defines a mapping from kinds to
1078			// ImageExtractorConfigs.
1079			// This config is only valid for verifyImages rules.
1080			"imageExtractors"?: {
1081				[string]: [...{
1082					// JMESPath is an optional JMESPath expression to apply to the
1083					// image value.
1084					// This is useful when the extracted image begins with a prefix
1085					// like 'docker://'.
1086					// The 'trim_prefix' function may be used to trim the prefix:
1087					// trim_prefix(@, 'docker://').
1088					// Note - Image digest mutation may not be used when applying a
1089					// JMESPAth to an image.
1090					"jmesPath"?: string
1091
1092					// Key is an optional name of the field within 'path' that will be
1093					// used to uniquely identify an image.
1094					// Note - this field MUST be unique.
1095					"key"?: string
1096
1097					// Name is the entry the image will be available under
1098					// 'images.<name>' in the context.
1099					// If this field is not defined, image entries will appear under
1100					// 'images.custom'.
1101					"name"?: string
1102
1103					// Path is the path to the object containing the image field in a
1104					// custom resource.
1105					// It should be slash-separated. Each slash-separated key must be
1106					// a valid YAML key or a wildcard '*'.
1107					// Wildcard keys are expanded in case of arrays or objects.
1108					"path"!: string
1109
1110					// Value is an optional name of the field within 'path' that
1111					// points to the image URI.
1112					// This is useful when a custom 'key' is also defined.
1113					"value"?: string
1114				}]
1115			}
1116
1117			// MatchResources defines when this policy rule should be applied.
1118			// The match
1119			// criteria can include resource information (e.g. kind, name,
1120			// namespace, labels)
1121			// and admission review request information like the user name or
1122			// role.
1123			// At least one kind is required.
1124			"match"!: matchN(0, [null | bool | number | string | [...] | {
1125				"any"!: _
1126				"all"!: _
1127			}]) & {
1128				// All allows specifying resources which will be ANDed
1129				"all"?: [...{
1130					// ClusterRoles is the list of cluster-wide role names for the
1131					// user.
1132					"clusterRoles"?: [...string]
1133
1134					// ResourceDescription contains information about the resource
1135					// being created or modified.
1136					"resources"?: matchN(0, [null | bool | number | string | [...] | {
1137						"name"!:  _
1138						"names"!: _
1139					}]) & {
1140						// Annotations is a map of annotations (key-value pairs of type
1141						// string). Annotation keys
1142						// and values support the wildcard characters "*" (matches zero or
1143						// many characters) and
1144						// "?" (matches at least one character).
1145						"annotations"?: [string]: string
1146
1147						// Kinds is a list of resource kinds.
1148						"kinds"?: [...string]
1149
1150						// Name is the name of the resource. The name supports wildcard
1151						// characters
1152						// "*" (matches zero or many characters) and "?" (at least one
1153						// character).
1154						// NOTE: "Name" is being deprecated in favor of "Names".
1155						"name"?: string
1156
1157						// Names are the names of the resources. Each name supports
1158						// wildcard characters
1159						// "*" (matches zero or many characters) and "?" (at least one
1160						// character).
1161						"names"?: [...string]
1162
1163						// NamespaceSelector is a label selector for the resource
1164						// namespace. Label keys and values
1165						// in `matchLabels` support the wildcard characters `*` (matches
1166						// zero or many characters)
1167						// and `?` (matches one character).Wildcards allows writing label
1168						// selectors like
1169						// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
1170						// any key and value but
1171						// does not match an empty label set.
1172						"namespaceSelector"?: {
1173							// matchExpressions is a list of label selector requirements. The
1174							// requirements are ANDed.
1175							"matchExpressions"?: [...{
1176								// key is the label key that the selector applies to.
1177								"key"!: string
1178
1179								// operator represents a key's relationship to a set of values.
1180								// Valid operators are In, NotIn, Exists and DoesNotExist.
1181								"operator"!: string
1182
1183								// values is an array of string values. If the operator is In or
1184								// NotIn,
1185								// the values array must be non-empty. If the operator is Exists
1186								// or DoesNotExist,
1187								// the values array must be empty. This array is replaced during a
1188								// strategic
1189								// merge patch.
1190								"values"?: [...string]
1191							}]
1192
1193							// matchLabels is a map of {key,value} pairs. A single {key,value}
1194							// in the matchLabels
1195							// map is equivalent to an element of matchExpressions, whose key
1196							// field is "key", the
1197							// operator is "In", and the values array contains only "value".
1198							// The requirements are ANDed.
1199							"matchLabels"?: {
1200								[string]: string
1201							}
1202						}
1203
1204						// Namespaces is a list of namespaces names. Each name supports
1205						// wildcard characters
1206						// "*" (matches zero or many characters) and "?" (at least one
1207						// character).
1208						"namespaces"?: [...string]
1209
1210						// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
1211						// "DELETE"], which are used to match a specific action.
1212						"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
1213
1214						// Selector is a label selector. Label keys and values in
1215						// `matchLabels` support the wildcard
1216						// characters `*` (matches zero or many characters) and `?`
1217						// (matches one character).
1218						// Wildcards allows writing label selectors like
1219						// ["storage.k8s.io/*": "*"]. Note that
1220						// using ["*" : "*"] matches any key and value but does not match
1221						// an empty label set.
1222						"selector"?: {
1223							// matchExpressions is a list of label selector requirements. The
1224							// requirements are ANDed.
1225							"matchExpressions"?: [...{
1226								// key is the label key that the selector applies to.
1227								"key"!: string
1228
1229								// operator represents a key's relationship to a set of values.
1230								// Valid operators are In, NotIn, Exists and DoesNotExist.
1231								"operator"!: string
1232
1233								// values is an array of string values. If the operator is In or
1234								// NotIn,
1235								// the values array must be non-empty. If the operator is Exists
1236								// or DoesNotExist,
1237								// the values array must be empty. This array is replaced during a
1238								// strategic
1239								// merge patch.
1240								"values"?: [...string]
1241							}]
1242
1243							// matchLabels is a map of {key,value} pairs. A single {key,value}
1244							// in the matchLabels
1245							// map is equivalent to an element of matchExpressions, whose key
1246							// field is "key", the
1247							// operator is "In", and the values array contains only "value".
1248							// The requirements are ANDed.
1249							"matchLabels"?: {
1250								[string]: string
1251							}
1252						}
1253					}
1254
1255					// Roles is the list of namespaced role names for the user.
1256					"roles"?: [...string]
1257
1258					// Subjects is the list of subject names like users, user groups,
1259					// and service accounts.
1260					"subjects"?: [...{
1261						// APIGroup holds the API group of the referenced subject.
1262						// Defaults to "" for ServiceAccount subjects.
1263						// Defaults to "rbac.authorization.k8s.io" for User and Group
1264						// subjects.
1265						"apiGroup"?: string
1266
1267						// Kind of object being referenced. Values defined by this API
1268						// group are "User", "Group", and "ServiceAccount".
1269						// If the Authorizer does not recognized the kind value, the
1270						// Authorizer should report an error.
1271						"kind"!: string
1272
1273						// Name of the object being referenced.
1274						"name"!: string
1275
1276						// Namespace of the referenced object. If the object kind is
1277						// non-namespace, such as "User" or "Group", and this value is
1278						// not empty
1279						// the Authorizer should report an error.
1280						"namespace"?: string
1281					}]
1282				}]
1283
1284				// Any allows specifying resources which will be ORed
1285				"any"?: [...{
1286					// ClusterRoles is the list of cluster-wide role names for the
1287					// user.
1288					"clusterRoles"?: [...string]
1289
1290					// ResourceDescription contains information about the resource
1291					// being created or modified.
1292					"resources"?: matchN(0, [null | bool | number | string | [...] | {
1293						"name"!:  _
1294						"names"!: _
1295					}]) & {
1296						// Annotations is a map of annotations (key-value pairs of type
1297						// string). Annotation keys
1298						// and values support the wildcard characters "*" (matches zero or
1299						// many characters) and
1300						// "?" (matches at least one character).
1301						"annotations"?: [string]: string
1302
1303						// Kinds is a list of resource kinds.
1304						"kinds"?: [...string]
1305
1306						// Name is the name of the resource. The name supports wildcard
1307						// characters
1308						// "*" (matches zero or many characters) and "?" (at least one
1309						// character).
1310						// NOTE: "Name" is being deprecated in favor of "Names".
1311						"name"?: string
1312
1313						// Names are the names of the resources. Each name supports
1314						// wildcard characters
1315						// "*" (matches zero or many characters) and "?" (at least one
1316						// character).
1317						"names"?: [...string]
1318
1319						// NamespaceSelector is a label selector for the resource
1320						// namespace. Label keys and values
1321						// in `matchLabels` support the wildcard characters `*` (matches
1322						// zero or many characters)
1323						// and `?` (matches one character).Wildcards allows writing label
1324						// selectors like
1325						// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
1326						// any key and value but
1327						// does not match an empty label set.
1328						"namespaceSelector"?: {
1329							// matchExpressions is a list of label selector requirements. The
1330							// requirements are ANDed.
1331							"matchExpressions"?: [...{
1332								// key is the label key that the selector applies to.
1333								"key"!: string
1334
1335								// operator represents a key's relationship to a set of values.
1336								// Valid operators are In, NotIn, Exists and DoesNotExist.
1337								"operator"!: string
1338
1339								// values is an array of string values. If the operator is In or
1340								// NotIn,
1341								// the values array must be non-empty. If the operator is Exists
1342								// or DoesNotExist,
1343								// the values array must be empty. This array is replaced during a
1344								// strategic
1345								// merge patch.
1346								"values"?: [...string]
1347							}]
1348
1349							// matchLabels is a map of {key,value} pairs. A single {key,value}
1350							// in the matchLabels
1351							// map is equivalent to an element of matchExpressions, whose key
1352							// field is "key", the
1353							// operator is "In", and the values array contains only "value".
1354							// The requirements are ANDed.
1355							"matchLabels"?: {
1356								[string]: string
1357							}
1358						}
1359
1360						// Namespaces is a list of namespaces names. Each name supports
1361						// wildcard characters
1362						// "*" (matches zero or many characters) and "?" (at least one
1363						// character).
1364						"namespaces"?: [...string]
1365
1366						// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
1367						// "DELETE"], which are used to match a specific action.
1368						"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
1369
1370						// Selector is a label selector. Label keys and values in
1371						// `matchLabels` support the wildcard
1372						// characters `*` (matches zero or many characters) and `?`
1373						// (matches one character).
1374						// Wildcards allows writing label selectors like
1375						// ["storage.k8s.io/*": "*"]. Note that
1376						// using ["*" : "*"] matches any key and value but does not match
1377						// an empty label set.
1378						"selector"?: {
1379							// matchExpressions is a list of label selector requirements. The
1380							// requirements are ANDed.
1381							"matchExpressions"?: [...{
1382								// key is the label key that the selector applies to.
1383								"key"!: string
1384
1385								// operator represents a key's relationship to a set of values.
1386								// Valid operators are In, NotIn, Exists and DoesNotExist.
1387								"operator"!: string
1388
1389								// values is an array of string values. If the operator is In or
1390								// NotIn,
1391								// the values array must be non-empty. If the operator is Exists
1392								// or DoesNotExist,
1393								// the values array must be empty. This array is replaced during a
1394								// strategic
1395								// merge patch.
1396								"values"?: [...string]
1397							}]
1398
1399							// matchLabels is a map of {key,value} pairs. A single {key,value}
1400							// in the matchLabels
1401							// map is equivalent to an element of matchExpressions, whose key
1402							// field is "key", the
1403							// operator is "In", and the values array contains only "value".
1404							// The requirements are ANDed.
1405							"matchLabels"?: {
1406								[string]: string
1407							}
1408						}
1409					}
1410
1411					// Roles is the list of namespaced role names for the user.
1412					"roles"?: [...string]
1413
1414					// Subjects is the list of subject names like users, user groups,
1415					// and service accounts.
1416					"subjects"?: [...{
1417						// APIGroup holds the API group of the referenced subject.
1418						// Defaults to "" for ServiceAccount subjects.
1419						// Defaults to "rbac.authorization.k8s.io" for User and Group
1420						// subjects.
1421						"apiGroup"?: string
1422
1423						// Kind of object being referenced. Values defined by this API
1424						// group are "User", "Group", and "ServiceAccount".
1425						// If the Authorizer does not recognized the kind value, the
1426						// Authorizer should report an error.
1427						"kind"!: string
1428
1429						// Name of the object being referenced.
1430						"name"!: string
1431
1432						// Namespace of the referenced object. If the object kind is
1433						// non-namespace, such as "User" or "Group", and this value is
1434						// not empty
1435						// the Authorizer should report an error.
1436						"namespace"?: string
1437					}]
1438				}]
1439			}
1440
1441			// Mutation is used to modify matching resources.
1442			"mutate"?: {
1443				// ForEach applies mutation rules to a list of sub-elements by
1444				// creating a context for each entry in the list and looping over
1445				// it to apply the specified logic.
1446				"foreach"?: [...{
1447					// Context defines variables and data sources that can be used
1448					// during rule execution.
1449					"context"?: [...matchN(1, [{
1450						"configMap"!: _
1451					}, {
1452						"apiCall"!: _
1453					}, {
1454						"imageRegistry"!: _
1455					}, {
1456						"variable"!: _
1457					}, {
1458						"globalReference"!: _
1459					}]) & {
1460						// APICall is an HTTP request to the Kubernetes API server, or
1461						// other JSON web service.
1462						// The data returned is stored in the context with the name for
1463						// the context entry.
1464						"apiCall"?: {
1465							// The data object specifies the POST data sent to the server.
1466							// Only applicable when the method field is set to POST.
1467							"data"?: [...{
1468								// Key is a unique identifier for the data value
1469								"key"!: string
1470
1471								// Value is the data value
1472								"value"!: null | bool | number | string | [...] | {
1473									...
1474								}
1475							}]
1476
1477							// Default is an optional arbitrary JSON object that the context
1478							// value is set to, if the apiCall returns error.
1479							"default"?: null | bool | number | string | [...] | {
1480								...
1481							}
1482
1483							// JMESPath is an optional JSON Match Expression that can be used
1484							// to
1485							// transform the JSON response returned from the server. For
1486							// example
1487							// a JMESPath of "items | length(@)" applied to the API server
1488							// response
1489							// for the URLPath "/apis/apps/v1/deployments" will return the
1490							// total count
1491							// of deployments across all namespaces.
1492							"jmesPath"?: string
1493
1494							// Method is the HTTP request type (GET or POST). Defaults to GET.
1495							"method"?: "GET" | "POST"
1496
1497							// Service is an API call to a JSON web service.
1498							// This is used for non-Kubernetes API server calls.
1499							// It's mutually exclusive with the URLPath field.
1500							"service"?: {
1501								// CABundle is a PEM encoded CA bundle which will be used to
1502								// validate
1503								// the server certificate.
1504								"caBundle"?: string
1505
1506								// Headers is a list of optional HTTP headers to be included in
1507								// the request.
1508								"headers"?: [...{
1509									// Key is the header key
1510									"key"!: string
1511
1512									// Value is the header value
1513									"value"!: string
1514								}]
1515
1516								// URL is the JSON web service URL. A typical form is
1517								// `https://{service}.{namespace}:{port}/{path}`.
1518								"url"!: string
1519							}
1520
1521							// URLPath is the URL path to be used in the HTTP GET or POST
1522							// request to the
1523							// Kubernetes API server (e.g. "/api/v1/namespaces" or
1524							// "/apis/apps/v1/deployments").
1525							// The format required is the same format used by the `kubectl get
1526							// --raw` command.
1527							// See
1528							// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
1529							// for details.
1530							// It's mutually exclusive with the Service field.
1531							"urlPath"?: string
1532						}
1533
1534						// ConfigMap is the ConfigMap reference.
1535						"configMap"?: {
1536							// Name is the ConfigMap name.
1537							"name"!: string
1538
1539							// Namespace is the ConfigMap namespace.
1540							"namespace"?: string
1541						}
1542
1543						// GlobalContextEntryReference is a reference to a cached global
1544						// context entry.
1545						"globalReference"?: {
1546							// JMESPath is an optional JSON Match Expression that can be used
1547							// to
1548							// transform the JSON response returned from the server. For
1549							// example
1550							// a JMESPath of "items | length(@)" applied to the API server
1551							// response
1552							// for the URLPath "/apis/apps/v1/deployments" will return the
1553							// total count
1554							// of deployments across all namespaces.
1555							"jmesPath"?: string
1556
1557							// Name of the global context entry
1558							"name"!: string
1559						}
1560
1561						// ImageRegistry defines requests to an OCI/Docker V2 registry to
1562						// fetch image
1563						// details.
1564						"imageRegistry"?: {
1565							// ImageRegistryCredentials provides credentials that will be used
1566							// for authentication with registry
1567							"imageRegistryCredentials"?: {
1568								// AllowInsecureRegistry allows insecure access to a registry.
1569								"allowInsecureRegistry"?: bool
1570
1571								// Providers specifies a list of OCI Registry names, whose
1572								// authentication providers are provided.
1573								// It can be of one of these values:
1574								// default,google,azure,amazon,github.
1575								"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
1576
1577								// Secrets specifies a list of secrets that are provided for
1578								// credentials.
1579								// Secrets must live in the Kyverno namespace.
1580								"secrets"?: [...string]
1581							}
1582
1583							// JMESPath is an optional JSON Match Expression that can be used
1584							// to
1585							// transform the ImageData struct returned as a result of
1586							// processing
1587							// the image reference.
1588							"jmesPath"?: string
1589
1590							// Reference is image reference to a container image in the
1591							// registry.
1592							// Example: ghcr.io/kyverno/kyverno:latest
1593							"reference"!: string
1594						}
1595
1596						// Name is the variable name.
1597						"name"!: string
1598
1599						// Variable defines an arbitrary JMESPath context variable that
1600						// can be defined inline.
1601						"variable"?: {
1602							// Default is an optional arbitrary JSON object that the variable
1603							// may take if the JMESPath
1604							// expression evaluates to nil
1605							"default"?: null | bool | number | string | [...] | {
1606								...
1607							}
1608
1609							// JMESPath is an optional JMESPath Expression that can be used to
1610							// transform the variable.
1611							"jmesPath"?: string
1612
1613							// Value is any arbitrary JSON object representable in YAML or
1614							// JSON form.
1615							"value"?: null | bool | number | string | [...] | {
1616								...
1617							}
1618						}
1619					}]
1620
1621					// Foreach declares a nested foreach iterator
1622					"foreach"?: null | bool | number | string | [...] | {
1623						...
1624					}
1625
1626					// List specifies a JMESPath expression that results in one or
1627					// more elements
1628					// to which the validation logic is applied.
1629					"list"?: string
1630
1631					// Order defines the iteration order on the list.
1632					// Can be Ascending to iterate from first to last element or
1633					// Descending to iterate in from last to first element.
1634					"order"?: "Ascending" | "Descending"
1635
1636					// PatchStrategicMerge is a strategic merge patch used to modify
1637					// resources.
1638					// See
1639					// https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
1640					// and
1641					// https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
1642					"patchStrategicMerge"?: null | bool | number | string | [...] | {
1643						...
1644					}
1645
1646					// PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
1647					// used to modify resources.
1648					// See https://tools.ietf.org/html/rfc6902 and
1649					// https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
1650					"patchesJson6902"?: string
1651
1652					// AnyAllConditions are used to determine if a policy rule should
1653					// be applied by evaluating a
1654					// set of conditions. The declaration can contain nested `any` or
1655					// `all` statements.
1656					// See: https://kyverno.io/docs/writing-policies/preconditions/
1657					"preconditions"?: {
1658						// AllConditions enable variable-based conditional rule execution.
1659						// This is useful for
1660						// finer control of when an rule is applied. A condition can
1661						// reference object data
1662						// using JMESPath notation.
1663						// Here, all of the conditions need to pass
1664						"all"?: [...{
1665							// Key is the context entry (using JMESPath) for conditional rule
1666							// evaluation.
1667							"key"?: null | bool | number | string | [...] | {
1668								...
1669							}
1670
1671							// Message is an optional display message
1672							"message"?: string
1673
1674							// Operator is the conditional operation to perform. Valid
1675							// operators are:
1676							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
1677							// GreaterThanOrEquals,
1678							// GreaterThan, LessThanOrEquals, LessThan,
1679							// DurationGreaterThanOrEquals, DurationGreaterThan,
1680							// DurationLessThanOrEquals, DurationLessThan
1681							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
1682
1683							// Value is the conditional value, or set of values. The values
1684							// can be fixed set
1685							// or can be variables declared using JMESPath.
1686							"value"?: null | bool | number | string | [...] | {
1687								...
1688							}
1689						}]
1690
1691						// AnyConditions enable variable-based conditional rule execution.
1692						// This is useful for
1693						// finer control of when an rule is applied. A condition can
1694						// reference object data
1695						// using JMESPath notation.
1696						// Here, at least one of the conditions need to pass
1697						"any"?: [...{
1698							// Key is the context entry (using JMESPath) for conditional rule
1699							// evaluation.
1700							"key"?: null | bool | number | string | [...] | {
1701								...
1702							}
1703
1704							// Message is an optional display message
1705							"message"?: string
1706
1707							// Operator is the conditional operation to perform. Valid
1708							// operators are:
1709							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
1710							// GreaterThanOrEquals,
1711							// GreaterThan, LessThanOrEquals, LessThan,
1712							// DurationGreaterThanOrEquals, DurationGreaterThan,
1713							// DurationLessThanOrEquals, DurationLessThan
1714							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
1715
1716							// Value is the conditional value, or set of values. The values
1717							// can be fixed set
1718							// or can be variables declared using JMESPath.
1719							"value"?: null | bool | number | string | [...] | {
1720								...
1721							}
1722						}]
1723						...
1724					}
1725				}]
1726
1727				// MutateExistingOnPolicyUpdate controls if the mutateExisting
1728				// rule will be applied on policy events.
1729				"mutateExistingOnPolicyUpdate"?: bool
1730
1731				// PatchStrategicMerge is a strategic merge patch used to modify
1732				// resources.
1733				// See
1734				// https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
1735				// and
1736				// https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
1737				"patchStrategicMerge"?: null | bool | number | string | [...] | {
1738					...
1739				}
1740
1741				// PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
1742				// used to modify resources.
1743				// See https://tools.ietf.org/html/rfc6902 and
1744				// https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
1745				"patchesJson6902"?: string
1746
1747				// Targets defines the target resources to be mutated.
1748				"targets"?: [...{
1749					// APIVersion specifies resource apiVersion.
1750					"apiVersion"?: string
1751
1752					// Context defines variables and data sources that can be used
1753					// during rule execution.
1754					"context"?: [...matchN(1, [{
1755						"configMap"!: _
1756					}, {
1757						"apiCall"!: _
1758					}, {
1759						"imageRegistry"!: _
1760					}, {
1761						"variable"!: _
1762					}, {
1763						"globalReference"!: _
1764					}]) & {
1765						// APICall is an HTTP request to the Kubernetes API server, or
1766						// other JSON web service.
1767						// The data returned is stored in the context with the name for
1768						// the context entry.
1769						"apiCall"?: {
1770							// The data object specifies the POST data sent to the server.
1771							// Only applicable when the method field is set to POST.
1772							"data"?: [...{
1773								// Key is a unique identifier for the data value
1774								"key"!: string
1775
1776								// Value is the data value
1777								"value"!: null | bool | number | string | [...] | {
1778									...
1779								}
1780							}]
1781
1782							// Default is an optional arbitrary JSON object that the context
1783							// value is set to, if the apiCall returns error.
1784							"default"?: null | bool | number | string | [...] | {
1785								...
1786							}
1787
1788							// JMESPath is an optional JSON Match Expression that can be used
1789							// to
1790							// transform the JSON response returned from the server. For
1791							// example
1792							// a JMESPath of "items | length(@)" applied to the API server
1793							// response
1794							// for the URLPath "/apis/apps/v1/deployments" will return the
1795							// total count
1796							// of deployments across all namespaces.
1797							"jmesPath"?: string
1798
1799							// Method is the HTTP request type (GET or POST). Defaults to GET.
1800							"method"?: "GET" | "POST"
1801
1802							// Service is an API call to a JSON web service.
1803							// This is used for non-Kubernetes API server calls.
1804							// It's mutually exclusive with the URLPath field.
1805							"service"?: {
1806								// CABundle is a PEM encoded CA bundle which will be used to
1807								// validate
1808								// the server certificate.
1809								"caBundle"?: string
1810
1811								// Headers is a list of optional HTTP headers to be included in
1812								// the request.
1813								"headers"?: [...{
1814									// Key is the header key
1815									"key"!: string
1816
1817									// Value is the header value
1818									"value"!: string
1819								}]
1820
1821								// URL is the JSON web service URL. A typical form is
1822								// `https://{service}.{namespace}:{port}/{path}`.
1823								"url"!: string
1824							}
1825
1826							// URLPath is the URL path to be used in the HTTP GET or POST
1827							// request to the
1828							// Kubernetes API server (e.g. "/api/v1/namespaces" or
1829							// "/apis/apps/v1/deployments").
1830							// The format required is the same format used by the `kubectl get
1831							// --raw` command.
1832							// See
1833							// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
1834							// for details.
1835							// It's mutually exclusive with the Service field.
1836							"urlPath"?: string
1837						}
1838
1839						// ConfigMap is the ConfigMap reference.
1840						"configMap"?: {
1841							// Name is the ConfigMap name.
1842							"name"!: string
1843
1844							// Namespace is the ConfigMap namespace.
1845							"namespace"?: string
1846						}
1847
1848						// GlobalContextEntryReference is a reference to a cached global
1849						// context entry.
1850						"globalReference"?: {
1851							// JMESPath is an optional JSON Match Expression that can be used
1852							// to
1853							// transform the JSON response returned from the server. For
1854							// example
1855							// a JMESPath of "items | length(@)" applied to the API server
1856							// response
1857							// for the URLPath "/apis/apps/v1/deployments" will return the
1858							// total count
1859							// of deployments across all namespaces.
1860							"jmesPath"?: string
1861
1862							// Name of the global context entry
1863							"name"!: string
1864						}
1865
1866						// ImageRegistry defines requests to an OCI/Docker V2 registry to
1867						// fetch image
1868						// details.
1869						"imageRegistry"?: {
1870							// ImageRegistryCredentials provides credentials that will be used
1871							// for authentication with registry
1872							"imageRegistryCredentials"?: {
1873								// AllowInsecureRegistry allows insecure access to a registry.
1874								"allowInsecureRegistry"?: bool
1875
1876								// Providers specifies a list of OCI Registry names, whose
1877								// authentication providers are provided.
1878								// It can be of one of these values:
1879								// default,google,azure,amazon,github.
1880								"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
1881
1882								// Secrets specifies a list of secrets that are provided for
1883								// credentials.
1884								// Secrets must live in the Kyverno namespace.
1885								"secrets"?: [...string]
1886							}
1887
1888							// JMESPath is an optional JSON Match Expression that can be used
1889							// to
1890							// transform the ImageData struct returned as a result of
1891							// processing
1892							// the image reference.
1893							"jmesPath"?: string
1894
1895							// Reference is image reference to a container image in the
1896							// registry.
1897							// Example: ghcr.io/kyverno/kyverno:latest
1898							"reference"!: string
1899						}
1900
1901						// Name is the variable name.
1902						"name"!: string
1903
1904						// Variable defines an arbitrary JMESPath context variable that
1905						// can be defined inline.
1906						"variable"?: {
1907							// Default is an optional arbitrary JSON object that the variable
1908							// may take if the JMESPath
1909							// expression evaluates to nil
1910							"default"?: null | bool | number | string | [...] | {
1911								...
1912							}
1913
1914							// JMESPath is an optional JMESPath Expression that can be used to
1915							// transform the variable.
1916							"jmesPath"?: string
1917
1918							// Value is any arbitrary JSON object representable in YAML or
1919							// JSON form.
1920							"value"?: null | bool | number | string | [...] | {
1921								...
1922							}
1923						}
1924					}]
1925
1926					// Kind specifies resource kind.
1927					"kind"?: string
1928
1929					// Name specifies the resource name.
1930					"name"?: string
1931
1932					// Namespace specifies resource namespace.
1933					"namespace"?: string
1934
1935					// Preconditions are used to determine if a policy rule should be
1936					// applied by evaluating a
1937					// set of conditions. The declaration can contain nested `any` or
1938					// `all` statements. A direct list
1939					// of conditions (without `any` or `all` statements is supported
1940					// for backwards compatibility but
1941					// will be deprecated in the next major release.
1942					// See: https://kyverno.io/docs/writing-policies/preconditions/
1943					"preconditions"?: null | bool | number | string | [...] | {
1944						...
1945					}
1946
1947					// Selector allows you to select target resources with their
1948					// labels.
1949					"selector"?: {
1950						// matchExpressions is a list of label selector requirements. The
1951						// requirements are ANDed.
1952						"matchExpressions"?: [...{
1953							// key is the label key that the selector applies to.
1954							"key"!: string
1955
1956							// operator represents a key's relationship to a set of values.
1957							// Valid operators are In, NotIn, Exists and DoesNotExist.
1958							"operator"!: string
1959
1960							// values is an array of string values. If the operator is In or
1961							// NotIn,
1962							// the values array must be non-empty. If the operator is Exists
1963							// or DoesNotExist,
1964							// the values array must be empty. This array is replaced during a
1965							// strategic
1966							// merge patch.
1967							"values"?: [...string]
1968						}]
1969
1970						// matchLabels is a map of {key,value} pairs. A single {key,value}
1971						// in the matchLabels
1972						// map is equivalent to an element of matchExpressions, whose key
1973						// field is "key", the
1974						// operator is "In", and the values array contains only "value".
1975						// The requirements are ANDed.
1976						"matchLabels"?: {
1977							[string]: string
1978						}
1979					}
1980
1981					// UID specifies the resource uid.
1982					"uid"?: string
1983				}]
1984			}
1985
1986			// Name is a label to identify the rule, It must be unique within
1987			// the policy.
1988			"name"!: strings.MaxRunes(
1989					63)
1990
1991			// Preconditions are used to determine if a policy rule should be
1992			// applied by evaluating a
1993			// set of conditions. The declaration can contain nested `any` or
1994			// `all` statements.
1995			// See: https://kyverno.io/docs/writing-policies/preconditions/
1996			"preconditions"?: {
1997				// AllConditions enable variable-based conditional rule execution.
1998				// This is useful for
1999				// finer control of when an rule is applied. A condition can
2000				// reference object data
2001				// using JMESPath notation.
2002				// Here, all of the conditions need to pass.
2003				"all"?: [...{
2004					// Key is the context entry (using JMESPath) for conditional rule
2005					// evaluation.
2006					"key"?: null | bool | number | string | [...] | {
2007						...
2008					}
2009
2010					// Message is an optional display message
2011					"message"?: string
2012
2013					// Operator is the conditional operation to perform. Valid
2014					// operators are:
2015					// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2016					// GreaterThanOrEquals,
2017					// GreaterThan, LessThanOrEquals, LessThan,
2018					// DurationGreaterThanOrEquals, DurationGreaterThan,
2019					// DurationLessThanOrEquals, DurationLessThan
2020					"operator"?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2021
2022					// Value is the conditional value, or set of values. The values
2023					// can be fixed set
2024					// or can be variables declared using JMESPath.
2025					"value"?: null | bool | number | string | [...] | {
2026						...
2027					}
2028				}]
2029
2030				// AnyConditions enable variable-based conditional rule execution.
2031				// This is useful for
2032				// finer control of when an rule is applied. A condition can
2033				// reference object data
2034				// using JMESPath notation.
2035				// Here, at least one of the conditions need to pass.
2036				"any"?: [...{
2037					// Key is the context entry (using JMESPath) for conditional rule
2038					// evaluation.
2039					"key"?: null | bool | number | string | [...] | {
2040						...
2041					}
2042
2043					// Message is an optional display message
2044					"message"?: string
2045
2046					// Operator is the conditional operation to perform. Valid
2047					// operators are:
2048					// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2049					// GreaterThanOrEquals,
2050					// GreaterThan, LessThanOrEquals, LessThan,
2051					// DurationGreaterThanOrEquals, DurationGreaterThan,
2052					// DurationLessThanOrEquals, DurationLessThan
2053					"operator"?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2054
2055					// Value is the conditional value, or set of values. The values
2056					// can be fixed set
2057					// or can be variables declared using JMESPath.
2058					"value"?: null | bool | number | string | [...] | {
2059						...
2060					}
2061				}]
2062			}
2063
2064			// SkipBackgroundRequests bypasses admission requests that are
2065			// sent by the background controller.
2066			// The default value is set to "true", it must be set to "false"
2067			// to apply
2068			// generate and mutateExisting rules to those requests.
2069			"skipBackgroundRequests"?: bool
2070
2071			// Validation is used to validate matching resources.
2072			"validate"?: {
2073				// AnyPattern specifies list of validation patterns. At least one
2074				// of the patterns
2075				// must be satisfied for the validation rule to succeed.
2076				"anyPattern"?: null | bool | number | string | [...] | {
2077					...
2078				}
2079
2080				// Assert defines a kyverno-json assertion tree.
2081				"assert"?: {
2082					...
2083				}
2084
2085				// CEL allows validation checks using the Common Expression
2086				// Language
2087				// (https://kubernetes.io/docs/reference/using-api/cel/).
2088				"cel"?: {
2089					// AuditAnnotations contains CEL expressions which are used to
2090					// produce audit annotations for the audit event of the API
2091					// request.
2092					"auditAnnotations"?: [...{
2093						// key specifies the audit annotation key. The audit annotation
2094						// keys of
2095						// a ValidatingAdmissionPolicy must be unique. The key must be a
2096						// qualified
2097						// name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in
2098						// length.
2099						//
2100						// The key is combined with the resource name of the
2101						// ValidatingAdmissionPolicy to construct an audit annotation key:
2102						// "{ValidatingAdmissionPolicy name}/{key}".
2103						//
2104						// If an admission webhook uses the same resource name as this
2105						// ValidatingAdmissionPolicy
2106						// and the same audit annotation key, the annotation key will be
2107						// identical.
2108						// In this case, the first annotation written with the key will be
2109						// included
2110						// in the audit event and all subsequent annotations with the same
2111						// key
2112						// will be discarded.
2113						//
2114						// Required.
2115						"key"!: string
2116
2117						// valueExpression represents the expression which is evaluated by
2118						// CEL to
2119						// produce an audit annotation value. The expression must evaluate
2120						// to either
2121						// a string or null value. If the expression evaluates to a
2122						// string, the
2123						// audit annotation is included with the string value. If the
2124						// expression
2125						// evaluates to null or empty string the audit annotation will be
2126						// omitted.
2127						// The valueExpression may be no longer than 5kb in length.
2128						// If the result of the valueExpression is more than 10kb in
2129						// length, it
2130						// will be truncated to 10kb.
2131						//
2132						// If multiple ValidatingAdmissionPolicyBinding resources match an
2133						// API request, then the valueExpression will be evaluated for
2134						// each binding. All unique values produced by the
2135						// valueExpressions
2136						// will be joined together in a comma-separated list.
2137						//
2138						// Required.
2139						"valueExpression"!: string
2140					}]
2141
2142					// Expressions is a list of CELExpression types.
2143					"expressions"?: [...{
2144						// Expression represents the expression which will be evaluated by
2145						// CEL.
2146						// ref: https://github.com/google/cel-spec
2147						// CEL expressions have access to the contents of the API
2148						// request/response, organized into CEL variables as well as some
2149						// other useful variables:
2150						//
2151						// - 'object' - The object from the incoming request. The value is
2152						// null for DELETE requests.
2153						// - 'oldObject' - The existing object. The value is null for
2154						// CREATE requests.
2155						// - 'request' - Attributes of the API
2156						// request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
2157						// - 'params' - Parameter resource referred to by the policy
2158						// binding being evaluated. Only populated if the policy has a
2159						// ParamKind.
2160						// - 'namespaceObject' - The namespace object that the incoming
2161						// object belongs to. The value is null for cluster-scoped
2162						// resources.
2163						// - 'variables' - Map of composited variables, from its name to
2164						// its lazily evaluated value.
2165						// For example, a variable named 'foo' can be accessed as
2166						// 'variables.foo'.
2167						// - 'authorizer' - A CEL Authorizer. May be used to perform
2168						// authorization checks for the principal (user or service
2169						// account) of the request.
2170						// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
2171						// - 'authorizer.requestResource' - A CEL ResourceCheck
2172						// constructed from the 'authorizer' and configured with the
2173						// request resource.
2174						//
2175						// The `apiVersion`, `kind`, `metadata.name` and
2176						// `metadata.generateName` are always accessible from the root of
2177						// the
2178						// object. No other metadata properties are accessible.
2179						//
2180						// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
2181						// are accessible.
2182						// Accessible property names are escaped according to the
2183						// following rules when accessed in the expression:
2184						// - '__' escapes to '__underscores__'
2185						// - '.' escapes to '__dot__'
2186						// - '-' escapes to '__dash__'
2187						// - '/' escapes to '__slash__'
2188						// - Property names that exactly match a CEL RESERVED keyword
2189						// escape to '__{keyword}__'. The keywords are:
2190						// "true", "false", "null", "in", "as", "break", "const",
2191						// "continue", "else", "for", "function", "if",
2192						// "import", "let", "loop", "package", "namespace", "return".
2193						// Examples:
2194						// - Expression accessing a property named "namespace":
2195						// {"Expression": "object.__namespace__ > 0"}
2196						// - Expression accessing a property named "x-prop":
2197						// {"Expression": "object.x__dash__prop > 0"}
2198						// - Expression accessing a property named "redact__d":
2199						// {"Expression": "object.redact__underscores__d > 0"}
2200						//
2201						// Equality on arrays with list type of 'set' or 'map' ignores
2202						// element order, i.e. [1, 2] == [2, 1].
2203						// Concatenation on arrays with x-kubernetes-list-type use the
2204						// semantics of the list type:
2205						// - 'set': `X + Y` performs a union where the array positions of
2206						// all elements in `X` are preserved and
2207						// non-intersecting elements in `Y` are appended, retaining their
2208						// partial order.
2209						// - 'map': `X + Y` performs a merge where the array positions of
2210						// all keys in `X` are preserved but the values
2211						// are overwritten by values in `Y` when the key sets of `X` and
2212						// `Y` intersect. Elements in `Y` with
2213						// non-intersecting keys are appended, retaining their partial
2214						// order.
2215						// Required.
2216						"expression"!: string
2217
2218						// Message represents the message displayed when validation fails.
2219						// The message is required if the Expression contains
2220						// line breaks. The message must not contain line breaks.
2221						// If unset, the message is "failed rule: {Rule}".
2222						// e.g. "must be a URL with the host matching spec.host"
2223						// If the Expression contains line breaks. Message is required.
2224						// The message must not contain line breaks.
2225						// If unset, the message is "failed Expression: {Expression}".
2226						"message"?: string
2227
2228						// messageExpression declares a CEL expression that evaluates to
2229						// the validation failure message that is returned when this rule
2230						// fails.
2231						// Since messageExpression is used as a failure message, it must
2232						// evaluate to a string.
2233						// If both message and messageExpression are present on a
2234						// validation, then messageExpression will be used if validation
2235						// fails.
2236						// If messageExpression results in a runtime error, the runtime
2237						// error is logged, and the validation failure message is
2238						// produced
2239						// as if the messageExpression field were unset. If
2240						// messageExpression evaluates to an empty string, a string with
2241						// only spaces, or a string
2242						// that contains line breaks, then the validation failure message
2243						// will also be produced as if the messageExpression field were
2244						// unset, and
2245						// the fact that messageExpression produced an empty string/string
2246						// with only spaces/string with line breaks will be logged.
2247						// messageExpression has access to all the same variables as the
2248						// `expression` except for 'authorizer' and
2249						// 'authorizer.requestResource'.
2250						// Example:
2251						// "object.x must be less than max ("+string(params.max)+")"
2252						"messageExpression"?: string
2253
2254						// Reason represents a machine-readable description of why this
2255						// validation failed.
2256						// If this is the first validation in the list to fail, this
2257						// reason, as well as the
2258						// corresponding HTTP response code, are used in the
2259						// HTTP response to the client.
2260						// The currently supported reasons are: "Unauthorized",
2261						// "Forbidden", "Invalid", "RequestEntityTooLarge".
2262						// If not set, StatusReasonInvalid is used in the response to the
2263						// client.
2264						"reason"?: string
2265					}]
2266
2267					// ParamKind is a tuple of Group Kind and Version.
2268					"paramKind"?: {
2269						// APIVersion is the API group version the resources belong to.
2270						// In format of "group/version".
2271						// Required.
2272						"apiVersion"?: string
2273
2274						// Kind is the API kind the resources belong to.
2275						// Required.
2276						"kind"?: string
2277					}
2278
2279					// ParamRef references a parameter resource.
2280					"paramRef"?: {
2281						// name is the name of the resource being referenced.
2282						//
2283						// One of `name` or `selector` must be set, but `name` and
2284						// `selector` are
2285						// mutually exclusive properties. If one is set, the other must be
2286						// unset.
2287						//
2288						// A single parameter used for all admission requests can be
2289						// configured
2290						// by setting the `name` field, leaving `selector` blank, and
2291						// setting namespace
2292						// if `paramKind` is namespace-scoped.
2293						"name"?: string
2294
2295						// namespace is the namespace of the referenced resource. Allows
2296						// limiting
2297						// the search for params to a specific namespace. Applies to both
2298						// `name` and
2299						// `selector` fields.
2300						//
2301						// A per-namespace parameter may be used by specifying a
2302						// namespace-scoped
2303						// `paramKind` in the policy and leaving this field empty.
2304						//
2305						// - If `paramKind` is cluster-scoped, this field MUST be unset.
2306						// Setting this
2307						// field results in a configuration error.
2308						//
2309						// - If `paramKind` is namespace-scoped, the namespace of the
2310						// object being
2311						// evaluated for admission will be used when this field is left
2312						// unset. Take
2313						// care that if this is left empty the binding must not match any
2314						// cluster-scoped
2315						// resources, which will result in an error.
2316						"namespace"?: string
2317
2318						// `parameterNotFoundAction` controls the behavior of the binding
2319						// when the resource
2320						// exists, and name or selector is valid, but there are no
2321						// parameters
2322						// matched by the binding. If the value is set to `Allow`, then no
2323						// matched parameters will be treated as successful validation by
2324						// the binding.
2325						// If set to `Deny`, then no matched parameters will be subject to
2326						// the
2327						// `failurePolicy` of the policy.
2328						//
2329						// Allowed values are `Allow` or `Deny`
2330						//
2331						// Required
2332						"parameterNotFoundAction"?: string
2333
2334						// selector can be used to match multiple param objects based on
2335						// their labels.
2336						// Supply selector: {} to match all resources of the ParamKind.
2337						//
2338						// If multiple params are found, they are all evaluated with the
2339						// policy expressions
2340						// and the results are ANDed together.
2341						//
2342						// One of `name` or `selector` must be set, but `name` and
2343						// `selector` are
2344						// mutually exclusive properties. If one is set, the other must be
2345						// unset.
2346						"selector"?: {
2347							// matchExpressions is a list of label selector requirements. The
2348							// requirements are ANDed.
2349							"matchExpressions"?: [...{
2350								// key is the label key that the selector applies to.
2351								"key"!: string
2352
2353								// operator represents a key's relationship to a set of values.
2354								// Valid operators are In, NotIn, Exists and DoesNotExist.
2355								"operator"!: string
2356
2357								// values is an array of string values. If the operator is In or
2358								// NotIn,
2359								// the values array must be non-empty. If the operator is Exists
2360								// or DoesNotExist,
2361								// the values array must be empty. This array is replaced during a
2362								// strategic
2363								// merge patch.
2364								"values"?: [...string]
2365							}]
2366
2367							// matchLabels is a map of {key,value} pairs. A single {key,value}
2368							// in the matchLabels
2369							// map is equivalent to an element of matchExpressions, whose key
2370							// field is "key", the
2371							// operator is "In", and the values array contains only "value".
2372							// The requirements are ANDed.
2373							"matchLabels"?: {
2374								[string]: string
2375							}
2376						}
2377					}
2378
2379					// Variables contain definitions of variables that can be used in
2380					// composition of other expressions.
2381					// Each variable is defined as a named CEL expression.
2382					// The variables defined here will be available under `variables`
2383					// in other expressions of the policy.
2384					"variables"?: [...{
2385						// Expression is the expression that will be evaluated as the
2386						// value of the variable.
2387						// The CEL expression has access to the same identifiers as the
2388						// CEL expressions in Validation.
2389						"expression"!: string
2390
2391						// Name is the name of the variable. The name must be a valid CEL
2392						// identifier and unique among all variables.
2393						// The variable can be accessed in other expressions through
2394						// `variables`
2395						// For example, if name is "foo", the variable will be available
2396						// as `variables.foo`
2397						"name"!: string
2398					}]
2399				}
2400
2401				// Deny defines conditions used to pass or fail a validation rule.
2402				"deny"?: {
2403					// Multiple conditions can be declared under an `any` or `all`
2404					// statement.
2405					// See:
2406					// https://kyverno.io/docs/writing-policies/validate/#deny-rules
2407					"conditions"?: {
2408						// AllConditions enable variable-based conditional rule execution.
2409						// This is useful for
2410						// finer control of when an rule is applied. A condition can
2411						// reference object data
2412						// using JMESPath notation.
2413						// Here, all of the conditions need to pass.
2414						"all"?: [...{
2415							// Key is the context entry (using JMESPath) for conditional rule
2416							// evaluation.
2417							"key"?: null | bool | number | string | [...] | {
2418								...
2419							}
2420
2421							// Message is an optional display message
2422							"message"?: string
2423
2424							// Operator is the conditional operation to perform. Valid
2425							// operators are:
2426							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2427							// GreaterThanOrEquals,
2428							// GreaterThan, LessThanOrEquals, LessThan,
2429							// DurationGreaterThanOrEquals, DurationGreaterThan,
2430							// DurationLessThanOrEquals, DurationLessThan
2431							"operator"?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2432
2433							// Value is the conditional value, or set of values. The values
2434							// can be fixed set
2435							// or can be variables declared using JMESPath.
2436							"value"?: null | bool | number | string | [...] | {
2437								...
2438							}
2439						}]
2440
2441						// AnyConditions enable variable-based conditional rule execution.
2442						// This is useful for
2443						// finer control of when an rule is applied. A condition can
2444						// reference object data
2445						// using JMESPath notation.
2446						// Here, at least one of the conditions need to pass.
2447						"any"?: [...{
2448							// Key is the context entry (using JMESPath) for conditional rule
2449							// evaluation.
2450							"key"?: null | bool | number | string | [...] | {
2451								...
2452							}
2453
2454							// Message is an optional display message
2455							"message"?: string
2456
2457							// Operator is the conditional operation to perform. Valid
2458							// operators are:
2459							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2460							// GreaterThanOrEquals,
2461							// GreaterThan, LessThanOrEquals, LessThan,
2462							// DurationGreaterThanOrEquals, DurationGreaterThan,
2463							// DurationLessThanOrEquals, DurationLessThan
2464							"operator"?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2465
2466							// Value is the conditional value, or set of values. The values
2467							// can be fixed set
2468							// or can be variables declared using JMESPath.
2469							"value"?: null | bool | number | string | [...] | {
2470								...
2471							}
2472						}]
2473					}
2474				}
2475
2476				// FailureAction defines if a validation policy rule violation
2477				// should block
2478				// the admission review request (Enforce), or allow (Audit) the
2479				// admission review request
2480				// and report an error in a policy report. Optional.
2481				// Allowed values are Audit or Enforce.
2482				"failureAction"?: "Audit" | "Enforce"
2483
2484				// FailureActionOverrides is a Cluster Policy attribute that
2485				// specifies FailureAction
2486				// namespace-wise. It overrides FailureAction for the specified
2487				// namespaces.
2488				"failureActionOverrides"?: [...{
2489					// ValidationFailureAction defines the policy validation failure
2490					// action
2491					"action"?: "audit" | "enforce" | "Audit" | "Enforce"
2492
2493					// A label selector is a label query over a set of resources. The
2494					// result of matchLabels and
2495					// matchExpressions are ANDed. An empty label selector matches all
2496					// objects. A null
2497					// label selector matches no objects.
2498					"namespaceSelector"?: {
2499						// matchExpressions is a list of label selector requirements. The
2500						// requirements are ANDed.
2501						"matchExpressions"?: [...{
2502							// key is the label key that the selector applies to.
2503							"key"!: string
2504
2505							// operator represents a key's relationship to a set of values.
2506							// Valid operators are In, NotIn, Exists and DoesNotExist.
2507							"operator"!: string
2508
2509							// values is an array of string values. If the operator is In or
2510							// NotIn,
2511							// the values array must be non-empty. If the operator is Exists
2512							// or DoesNotExist,
2513							// the values array must be empty. This array is replaced during a
2514							// strategic
2515							// merge patch.
2516							"values"?: [...string]
2517						}]
2518
2519						// matchLabels is a map of {key,value} pairs. A single {key,value}
2520						// in the matchLabels
2521						// map is equivalent to an element of matchExpressions, whose key
2522						// field is "key", the
2523						// operator is "In", and the values array contains only "value".
2524						// The requirements are ANDed.
2525						"matchLabels"?: {
2526							[string]: string
2527						}
2528					}
2529					"namespaces"?: [...string]
2530				}]
2531
2532				// ForEach applies validate rules to a list of sub-elements by
2533				// creating a context for each entry in the list and looping over
2534				// it to apply the specified logic.
2535				"foreach"?: [...{
2536					// AnyPattern specifies list of validation patterns. At least one
2537					// of the patterns
2538					// must be satisfied for the validation rule to succeed.
2539					"anyPattern"?: null | bool | number | string | [...] | {
2540						...
2541					}
2542
2543					// Context defines variables and data sources that can be used
2544					// during rule execution.
2545					"context"?: [...matchN(1, [{
2546						"configMap"!: _
2547					}, {
2548						"apiCall"!: _
2549					}, {
2550						"imageRegistry"!: _
2551					}, {
2552						"variable"!: _
2553					}, {
2554						"globalReference"!: _
2555					}]) & {
2556						// APICall is an HTTP request to the Kubernetes API server, or
2557						// other JSON web service.
2558						// The data returned is stored in the context with the name for
2559						// the context entry.
2560						"apiCall"?: {
2561							// The data object specifies the POST data sent to the server.
2562							// Only applicable when the method field is set to POST.
2563							"data"?: [...{
2564								// Key is a unique identifier for the data value
2565								"key"!: string
2566
2567								// Value is the data value
2568								"value"!: null | bool | number | string | [...] | {
2569									...
2570								}
2571							}]
2572
2573							// Default is an optional arbitrary JSON object that the context
2574							// value is set to, if the apiCall returns error.
2575							"default"?: null | bool | number | string | [...] | {
2576								...
2577							}
2578
2579							// JMESPath is an optional JSON Match Expression that can be used
2580							// to
2581							// transform the JSON response returned from the server. For
2582							// example
2583							// a JMESPath of "items | length(@)" applied to the API server
2584							// response
2585							// for the URLPath "/apis/apps/v1/deployments" will return the
2586							// total count
2587							// of deployments across all namespaces.
2588							"jmesPath"?: string
2589
2590							// Method is the HTTP request type (GET or POST). Defaults to GET.
2591							"method"?: "GET" | "POST"
2592
2593							// Service is an API call to a JSON web service.
2594							// This is used for non-Kubernetes API server calls.
2595							// It's mutually exclusive with the URLPath field.
2596							"service"?: {
2597								// CABundle is a PEM encoded CA bundle which will be used to
2598								// validate
2599								// the server certificate.
2600								"caBundle"?: string
2601
2602								// Headers is a list of optional HTTP headers to be included in
2603								// the request.
2604								"headers"?: [...{
2605									// Key is the header key
2606									"key"!: string
2607
2608									// Value is the header value
2609									"value"!: string
2610								}]
2611
2612								// URL is the JSON web service URL. A typical form is
2613								// `https://{service}.{namespace}:{port}/{path}`.
2614								"url"!: string
2615							}
2616
2617							// URLPath is the URL path to be used in the HTTP GET or POST
2618							// request to the
2619							// Kubernetes API server (e.g. "/api/v1/namespaces" or
2620							// "/apis/apps/v1/deployments").
2621							// The format required is the same format used by the `kubectl get
2622							// --raw` command.
2623							// See
2624							// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
2625							// for details.
2626							// It's mutually exclusive with the Service field.
2627							"urlPath"?: string
2628						}
2629
2630						// ConfigMap is the ConfigMap reference.
2631						"configMap"?: {
2632							// Name is the ConfigMap name.
2633							"name"!: string
2634
2635							// Namespace is the ConfigMap namespace.
2636							"namespace"?: string
2637						}
2638
2639						// GlobalContextEntryReference is a reference to a cached global
2640						// context entry.
2641						"globalReference"?: {
2642							// JMESPath is an optional JSON Match Expression that can be used
2643							// to
2644							// transform the JSON response returned from the server. For
2645							// example
2646							// a JMESPath of "items | length(@)" applied to the API server
2647							// response
2648							// for the URLPath "/apis/apps/v1/deployments" will return the
2649							// total count
2650							// of deployments across all namespaces.
2651							"jmesPath"?: string
2652
2653							// Name of the global context entry
2654							"name"!: string
2655						}
2656
2657						// ImageRegistry defines requests to an OCI/Docker V2 registry to
2658						// fetch image
2659						// details.
2660						"imageRegistry"?: {
2661							// ImageRegistryCredentials provides credentials that will be used
2662							// for authentication with registry
2663							"imageRegistryCredentials"?: {
2664								// AllowInsecureRegistry allows insecure access to a registry.
2665								"allowInsecureRegistry"?: bool
2666
2667								// Providers specifies a list of OCI Registry names, whose
2668								// authentication providers are provided.
2669								// It can be of one of these values:
2670								// default,google,azure,amazon,github.
2671								"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
2672
2673								// Secrets specifies a list of secrets that are provided for
2674								// credentials.
2675								// Secrets must live in the Kyverno namespace.
2676								"secrets"?: [...string]
2677							}
2678
2679							// JMESPath is an optional JSON Match Expression that can be used
2680							// to
2681							// transform the ImageData struct returned as a result of
2682							// processing
2683							// the image reference.
2684							"jmesPath"?: string
2685
2686							// Reference is image reference to a container image in the
2687							// registry.
2688							// Example: ghcr.io/kyverno/kyverno:latest
2689							"reference"!: string
2690						}
2691
2692						// Name is the variable name.
2693						"name"!: string
2694
2695						// Variable defines an arbitrary JMESPath context variable that
2696						// can be defined inline.
2697						"variable"?: {
2698							// Default is an optional arbitrary JSON object that the variable
2699							// may take if the JMESPath
2700							// expression evaluates to nil
2701							"default"?: null | bool | number | string | [...] | {
2702								...
2703							}
2704
2705							// JMESPath is an optional JMESPath Expression that can be used to
2706							// transform the variable.
2707							"jmesPath"?: string
2708
2709							// Value is any arbitrary JSON object representable in YAML or
2710							// JSON form.
2711							"value"?: null | bool | number | string | [...] | {
2712								...
2713							}
2714						}
2715					}]
2716
2717					// Deny defines conditions used to pass or fail a validation rule.
2718					"deny"?: {
2719						// Multiple conditions can be declared under an `any` or `all`
2720						// statement. A direct list
2721						// of conditions (without `any` or `all` statements) is also
2722						// supported for backwards compatibility
2723						// but will be deprecated in the next major release.
2724						// See:
2725						// https://kyverno.io/docs/writing-policies/validate/#deny-rules
2726						"conditions"?: null | bool | number | string | [...] | {
2727							...
2728						}
2729					}
2730
2731					// ElementScope specifies whether to use the current list element
2732					// as the scope for validation. Defaults to "true" if not
2733					// specified.
2734					// When set to "false", "request.object" is used as the validation
2735					// scope within the foreach
2736					// block to allow referencing other elements in the subtree.
2737					"elementScope"?: bool
2738
2739					// Foreach declares a nested foreach iterator
2740					"foreach"?: null | bool | number | string | [...] | {
2741						...
2742					}
2743
2744					// List specifies a JMESPath expression that results in one or
2745					// more elements
2746					// to which the validation logic is applied.
2747					"list"?: string
2748
2749					// Pattern specifies an overlay-style pattern used to check
2750					// resources.
2751					"pattern"?: null | bool | number | string | [...] | {
2752						...
2753					}
2754
2755					// AnyAllConditions are used to determine if a policy rule should
2756					// be applied by evaluating a
2757					// set of conditions. The declaration can contain nested `any` or
2758					// `all` statements.
2759					// See: https://kyverno.io/docs/writing-policies/preconditions/
2760					"preconditions"?: {
2761						// AllConditions enable variable-based conditional rule execution.
2762						// This is useful for
2763						// finer control of when an rule is applied. A condition can
2764						// reference object data
2765						// using JMESPath notation.
2766						// Here, all of the conditions need to pass
2767						"all"?: [...{
2768							// Key is the context entry (using JMESPath) for conditional rule
2769							// evaluation.
2770							"key"?: null | bool | number | string | [...] | {
2771								...
2772							}
2773
2774							// Message is an optional display message
2775							"message"?: string
2776
2777							// Operator is the conditional operation to perform. Valid
2778							// operators are:
2779							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2780							// GreaterThanOrEquals,
2781							// GreaterThan, LessThanOrEquals, LessThan,
2782							// DurationGreaterThanOrEquals, DurationGreaterThan,
2783							// DurationLessThanOrEquals, DurationLessThan
2784							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2785
2786							// Value is the conditional value, or set of values. The values
2787							// can be fixed set
2788							// or can be variables declared using JMESPath.
2789							"value"?: null | bool | number | string | [...] | {
2790								...
2791							}
2792						}]
2793
2794						// AnyConditions enable variable-based conditional rule execution.
2795						// This is useful for
2796						// finer control of when an rule is applied. A condition can
2797						// reference object data
2798						// using JMESPath notation.
2799						// Here, at least one of the conditions need to pass
2800						"any"?: [...{
2801							// Key is the context entry (using JMESPath) for conditional rule
2802							// evaluation.
2803							"key"?: null | bool | number | string | [...] | {
2804								...
2805							}
2806
2807							// Message is an optional display message
2808							"message"?: string
2809
2810							// Operator is the conditional operation to perform. Valid
2811							// operators are:
2812							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2813							// GreaterThanOrEquals,
2814							// GreaterThan, LessThanOrEquals, LessThan,
2815							// DurationGreaterThanOrEquals, DurationGreaterThan,
2816							// DurationLessThanOrEquals, DurationLessThan
2817							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2818
2819							// Value is the conditional value, or set of values. The values
2820							// can be fixed set
2821							// or can be variables declared using JMESPath.
2822							"value"?: null | bool | number | string | [...] | {
2823								...
2824							}
2825						}]
2826						...
2827					}
2828				}]
2829
2830				// Manifest specifies conditions for manifest verification
2831				"manifests"?: {
2832					// AnnotationDomain is custom domain of annotation for message and
2833					// signature. Default is "cosign.sigstore.dev".
2834					"annotationDomain"?: string
2835
2836					// Attestors specified the required attestors (i.e. authorities)
2837					"attestors"?: [...{
2838						// Count specifies the required number of entries that must match.
2839						// If the count is null, all entries must match
2840						// (a logical AND). If the count is 1, at least one entry must
2841						// match (a logical OR). If the count contains a
2842						// value N, then N must be less than or equal to the size of
2843						// entries, and at least N entries must match.
2844						"count"?: int & >=1
2845
2846						// Entries contains the available attestors. An attestor can be a
2847						// static key,
2848						// attributes for keyless verification, or a nested attestor
2849						// declaration.
2850						"entries"?: [...{
2851							// Annotations are used for image verification.
2852							// Every specified key-value pair must exist and match in the
2853							// verified payload.
2854							// The payload may contain other key-value pairs.
2855							"annotations"?: [string]: string
2856
2857							// Attestor is a nested set of Attestor used to specify a more
2858							// complex set of match authorities.
2859							"attestor"?: null | bool | number | string | [...] | {
2860								...
2861							}
2862
2863							// Certificates specifies one or more certificates.
2864							"certificates"?: {
2865								// Cert is an optional PEM-encoded public certificate.
2866								"cert"?: string
2867
2868								// CertChain is an optional PEM encoded set of certificates used
2869								// to verify.
2870								"certChain"?: string
2871
2872								// CTLog (certificate timestamp log) provides a configuration for
2873								// validation of Signed Certificate
2874								// Timestamps (SCTs). If the value is unset, the default behavior
2875								// by Cosign is used.
2876								"ctlog"?: {
2877									// IgnoreSCT defines whether to use the Signed Certificate
2878									// Timestamp (SCT) log to check for a certificate
2879									// timestamp. Default is false. Set to true if this was opted out
2880									// during signing.
2881									"ignoreSCT"?: bool
2882
2883									// PubKey, if set, is used to validate SCTs against a custom
2884									// source.
2885									"pubkey"?: string
2886
2887									// TSACertChain, if set, is the PEM-encoded certificate chain file
2888									// for the RFC3161 timestamp authority. Must
2889									// contain the root CA certificate. Optionally may contain
2890									// intermediate CA certificates, and
2891									// may contain the leaf TSA certificate if not present in the
2892									// timestamurce.
2893									"tsaCertChain"?: string
2894								}
2895
2896								// Rekor provides configuration for the Rekor transparency log
2897								// service. If an empty object
2898								// is provided the public instance of Rekor
2899								// (https://rekor.sigstore.dev) is used.
2900								"rekor"?: {
2901									// IgnoreTlog skips transparency log verification.
2902									"ignoreTlog"?: bool
2903
2904									// RekorPubKey is an optional PEM-encoded public key to use for a
2905									// custom Rekor.
2906									// If set, this will be used to validate transparency log
2907									// signatures from a custom Rekor.
2908									"pubkey"?: string
2909
2910									// URL is the address of the transparency log. Defaults to the
2911									// public Rekor log instance https://rekor.sigstore.dev.
2912									"url"?: string
2913								}
2914							}
2915
2916							// Keyless is a set of attribute used to verify a Sigstore keyless
2917							// attestor.
2918							// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
2919							"keyless"?: {
2920								// AdditionalExtensions are certificate-extensions used for
2921								// keyless signing.
2922								"additionalExtensions"?: [string]: string
2923
2924								// CTLog (certificate timestamp log) provides a configuration for
2925								// validation of Signed Certificate
2926								// Timestamps (SCTs). If the value is unset, the default behavior
2927								// by Cosign is used.
2928								"ctlog"?: {
2929									// IgnoreSCT defines whether to use the Signed Certificate
2930									// Timestamp (SCT) log to check for a certificate
2931									// timestamp. Default is false. Set to true if this was opted out
2932									// during signing.
2933									"ignoreSCT"?: bool
2934
2935									// PubKey, if set, is used to validate SCTs against a custom
2936									// source.
2937									"pubkey"?: string
2938
2939									// TSACertChain, if set, is the PEM-encoded certificate chain file
2940									// for the RFC3161 timestamp authority. Must
2941									// contain the root CA certificate. Optionally may contain
2942									// intermediate CA certificates, and
2943									// may contain the leaf TSA certificate if not present in the
2944									// timestamurce.
2945									"tsaCertChain"?: string
2946								}
2947
2948								// Issuer is the certificate issuer used for keyless signing.
2949								"issuer"?: string
2950
2951								// IssuerRegExp is the regular expression to match certificate
2952								// issuer used for keyless signing.
2953								"issuerRegExp"?: string
2954
2955								// Rekor provides configuration for the Rekor transparency log
2956								// service. If an empty object
2957								// is provided the public instance of Rekor
2958								// (https://rekor.sigstore.dev) is used.
2959								"rekor"?: {
2960									// IgnoreTlog skips transparency log verification.
2961									"ignoreTlog"?: bool
2962
2963									// RekorPubKey is an optional PEM-encoded public key to use for a
2964									// custom Rekor.
2965									// If set, this will be used to validate transparency log
2966									// signatures from a custom Rekor.
2967									"pubkey"?: string
2968
2969									// URL is the address of the transparency log. Defaults to the
2970									// public Rekor log instance https://rekor.sigstore.dev.
2971									"url"?: string
2972								}
2973
2974								// Roots is an optional set of PEM encoded trusted root
2975								// certificates.
2976								// If not provided, the system roots are used.
2977								"roots"?: string
2978
2979								// Subject is the verified identity used for keyless signing, for
2980								// example the email address.
2981								"subject"?: string
2982
2983								// SubjectRegExp is the regular expression to match identity used
2984								// for keyless signing, for example the email address.
2985								"subjectRegExp"?: string
2986							}
2987
2988							// Keys specifies one or more public keys.
2989							"keys"?: {
2990								// CTLog (certificate timestamp log) provides a configuration for
2991								// validation of Signed Certificate
2992								// Timestamps (SCTs). If the value is unset, the default behavior
2993								// by Cosign is used.
2994								"ctlog"?: {
2995									// IgnoreSCT defines whether to use the Signed Certificate
2996									// Timestamp (SCT) log to check for a certificate
2997									// timestamp. Default is false. Set to true if this was opted out
2998									// during signing.
2999									"ignoreSCT"?: bool
3000
3001									// PubKey, if set, is used to validate SCTs against a custom
3002									// source.
3003									"pubkey"?: string
3004
3005									// TSACertChain, if set, is the PEM-encoded certificate chain file
3006									// for the RFC3161 timestamp authority. Must
3007									// contain the root CA certificate. Optionally may contain
3008									// intermediate CA certificates, and
3009									// may contain the leaf TSA certificate if not present in the
3010									// timestamurce.
3011									"tsaCertChain"?: string
3012								}
3013
3014								// KMS provides the URI to the public key stored in a Key
3015								// Management System. See:
3016								// https://github.com/sigstore/cosign/blob/main/KMS.md
3017								"kms"?: string
3018
3019								// Keys is a set of X.509 public keys used to verify image
3020								// signatures. The keys can be directly
3021								// specified or can be a variable reference to a key specified in
3022								// a ConfigMap (see
3023								// https://kyverno.io/docs/writing-policies/variables/), or
3024								// reference a standard Kubernetes Secret
3025								// elsewhere in the cluster by specifying it in the format
3026								// "k8s://<namespace>/<secret_name>".
3027								// The named Secret must specify a key `cosign.pub` containing the
3028								// public key used for
3029								// verification, (see
3030								// https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
3031								// When multiple keys are specified each key is processed as a
3032								// separate staticKey entry
3033								// (.attestors[*].entries.keys) within the set of attestors and
3034								// the count is applied across the keys.
3035								"publicKeys"?: string
3036
3037								// Rekor provides configuration for the Rekor transparency log
3038								// service. If an empty object
3039								// is provided the public instance of Rekor
3040								// (https://rekor.sigstore.dev) is used.
3041								"rekor"?: {
3042									// IgnoreTlog skips transparency log verification.
3043									"ignoreTlog"?: bool
3044
3045									// RekorPubKey is an optional PEM-encoded public key to use for a
3046									// custom Rekor.
3047									// If set, this will be used to validate transparency log
3048									// signatures from a custom Rekor.
3049									"pubkey"?: string
3050
3051									// URL is the address of the transparency log. Defaults to the
3052									// public Rekor log instance https://rekor.sigstore.dev.
3053									"url"?: string
3054								}
3055
3056								// Reference to a Secret resource that contains a public key
3057								"secret"?: {
3058									// Name of the secret. The provided secret must contain a key
3059									// named cosign.pub.
3060									"name"!: string
3061
3062									// Namespace name where the Secret exists.
3063									"namespace"!: string
3064								}
3065
3066								// Deprecated. Use attestor.signatureAlgorithm instead.
3067								"signatureAlgorithm"?: string
3068							}
3069
3070							// Repository is an optional alternate OCI repository to use for
3071							// signatures and attestations that match this rule.
3072							// If specified Repository will override other OCI image
3073							// repository locations for this Attestor.
3074							"repository"?: string
3075
3076							// Specify signature algorithm for public keys. Supported values
3077							// are sha224, sha256, sha384 and sha512.
3078							"signatureAlgorithm"?: string
3079						}]
3080					}]
3081
3082					// DryRun configuration
3083					"dryRun"?: {
3084						"enable"?:    bool
3085						"namespace"?: string
3086					}
3087
3088					// Fields which will be ignored while comparing manifests.
3089					"ignoreFields"?: [...{
3090						"fields"?: [...string]
3091						"objects"?: [...{
3092							"group"?:     string
3093							"kind"?:      string
3094							"name"?:      string
3095							"namespace"?: string
3096							"version"?:   string
3097						}]
3098					}]
3099
3100					// Repository is an optional alternate OCI repository to use for
3101					// resource bundle reference.
3102					// The repository can be overridden per Attestor or Attestation.
3103					"repository"?: string
3104				}
3105
3106				// Message specifies a custom message to be displayed on failure.
3107				"message"?: string
3108
3109				// Pattern specifies an overlay-style pattern used to check
3110				// resources.
3111				"pattern"?: null | bool | number | string | [...] | {
3112					...
3113				}
3114
3115				// PodSecurity applies exemptions for Kubernetes Pod Security
3116				// admission
3117				// by specifying exclusions for Pod Security Standards controls.
3118				"podSecurity"?: {
3119					// Exclude specifies the Pod Security Standard controls to be
3120					// excluded.
3121					"exclude"?: [...{
3122						// ControlName specifies the name of the Pod Security Standard
3123						// control.
3124						// See:
3125						// https://kubernetes.io/docs/concepts/security/pod-security-standards/
3126						"controlName"!: "HostProcess" | "Host Namespaces" | "Privileged Containers" | "Capabilities" | "HostPath Volumes" | "Host Ports" | "AppArmor" | "SELinux" | "/proc Mount Type" | "Seccomp" | "Sysctls" | "Volume Types" | "Privilege Escalation" | "Running as Non-root" | "Running as Non-root user"
3127
3128						// Images selects matching containers and applies the container
3129						// level PSS.
3130						// Each image is the image name consisting of the registry
3131						// address, repository, image, and tag.
3132						// Empty list matches no containers, PSS checks are applied at the
3133						// pod level only.
3134						// Wildcards ('*' and '?') are allowed. See:
3135						// https://kubernetes.io/docs/concepts/containers/images.
3136						"images"?: [...string]
3137
3138						// RestrictedField selects the field for the given Pod Security
3139						// Standard control.
3140						// When not set, all restricted fields for the control are
3141						// selected.
3142						"restrictedField"?: string
3143
3144						// Values defines the allowed values that can be excluded.
3145						"values"?: [...string]
3146					}]
3147
3148					// Level defines the Pod Security Standard level to be applied to
3149					// workloads.
3150					// Allowed values are privileged, baseline, and restricted.
3151					"level"?: "privileged" | "baseline" | "restricted"
3152
3153					// Version defines the Pod Security Standard versions that
3154					// Kubernetes supports.
3155					// Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
3156					// v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
3157					"version"?: "v1.19" | "v1.20" | "v1.21" | "v1.22" | "v1.23" | "v1.24" | "v1.25" | "v1.26" | "v1.27" | "v1.28" | "v1.29" | "latest"
3158				}
3159			}
3160
3161			// VerifyImages is used to verify image signatures and mutate them
3162			// to add a digest
3163			"verifyImages"?: [...{
3164				// Attestations are optional checks for signed in-toto Statements
3165				// used to verify the image.
3166				// See https://github.com/in-toto/attestation. Kyverno fetches
3167				// signed attestations from the
3168				// OCI registry and decodes them into a list of Statement
3169				// declarations.
3170				"attestations"?: [...{
3171					// Attestors specify the required attestors (i.e. authorities).
3172					"attestors"?: [...{
3173						// Count specifies the required number of entries that must match.
3174						// If the count is null, all entries must match
3175						// (a logical AND). If the count is 1, at least one entry must
3176						// match (a logical OR). If the count contains a
3177						// value N, then N must be less than or equal to the size of
3178						// entries, and at least N entries must match.
3179						"count"?: int & >=1
3180
3181						// Entries contains the available attestors. An attestor can be a
3182						// static key,
3183						// attributes for keyless verification, or a nested attestor
3184						// declaration.
3185						"entries"?: [...{
3186							// Annotations are used for image verification.
3187							// Every specified key-value pair must exist and match in the
3188							// verified payload.
3189							// The payload may contain other key-value pairs.
3190							"annotations"?: [string]: string
3191
3192							// Attestor is a nested set of Attestor used to specify a more
3193							// complex set of match authorities.
3194							"attestor"?: null | bool | number | string | [...] | {
3195								...
3196							}
3197
3198							// Certificates specifies one or more certificates.
3199							"certificates"?: {
3200								// Cert is an optional PEM-encoded public certificate.
3201								"cert"?: string
3202
3203								// CertChain is an optional PEM encoded set of certificates used
3204								// to verify.
3205								"certChain"?: string
3206
3207								// CTLog (certificate timestamp log) provides a configuration for
3208								// validation of Signed Certificate
3209								// Timestamps (SCTs). If the value is unset, the default behavior
3210								// by Cosign is used.
3211								"ctlog"?: {
3212									// IgnoreSCT defines whether to use the Signed Certificate
3213									// Timestamp (SCT) log to check for a certificate
3214									// timestamp. Default is false. Set to true if this was opted out
3215									// during signing.
3216									"ignoreSCT"?: bool
3217
3218									// PubKey, if set, is used to validate SCTs against a custom
3219									// source.
3220									"pubkey"?: string
3221
3222									// TSACertChain, if set, is the PEM-encoded certificate chain file
3223									// for the RFC3161 timestamp authority. Must
3224									// contain the root CA certificate. Optionally may contain
3225									// intermediate CA certificates, and
3226									// may contain the leaf TSA certificate if not present in the
3227									// timestamurce.
3228									"tsaCertChain"?: string
3229								}
3230
3231								// Rekor provides configuration for the Rekor transparency log
3232								// service. If an empty object
3233								// is provided the public instance of Rekor
3234								// (https://rekor.sigstore.dev) is used.
3235								"rekor"?: {
3236									// IgnoreTlog skips transparency log verification.
3237									"ignoreTlog"?: bool
3238
3239									// RekorPubKey is an optional PEM-encoded public key to use for a
3240									// custom Rekor.
3241									// If set, this will be used to validate transparency log
3242									// signatures from a custom Rekor.
3243									"pubkey"?: string
3244
3245									// URL is the address of the transparency log. Defaults to the
3246									// public Rekor log instance https://rekor.sigstore.dev.
3247									"url"?: string
3248								}
3249							}
3250
3251							// Keyless is a set of attribute used to verify a Sigstore keyless
3252							// attestor.
3253							// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
3254							"keyless"?: {
3255								// AdditionalExtensions are certificate-extensions used for
3256								// keyless signing.
3257								"additionalExtensions"?: [string]: string
3258
3259								// CTLog (certificate timestamp log) provides a configuration for
3260								// validation of Signed Certificate
3261								// Timestamps (SCTs). If the value is unset, the default behavior
3262								// by Cosign is used.
3263								"ctlog"?: {
3264									// IgnoreSCT defines whether to use the Signed Certificate
3265									// Timestamp (SCT) log to check for a certificate
3266									// timestamp. Default is false. Set to true if this was opted out
3267									// during signing.
3268									"ignoreSCT"?: bool
3269
3270									// PubKey, if set, is used to validate SCTs against a custom
3271									// source.
3272									"pubkey"?: string
3273
3274									// TSACertChain, if set, is the PEM-encoded certificate chain file
3275									// for the RFC3161 timestamp authority. Must
3276									// contain the root CA certificate. Optionally may contain
3277									// intermediate CA certificates, and
3278									// may contain the leaf TSA certificate if not present in the
3279									// timestamurce.
3280									"tsaCertChain"?: string
3281								}
3282
3283								// Issuer is the certificate issuer used for keyless signing.
3284								"issuer"?: string
3285
3286								// IssuerRegExp is the regular expression to match certificate
3287								// issuer used for keyless signing.
3288								"issuerRegExp"?: string
3289
3290								// Rekor provides configuration for the Rekor transparency log
3291								// service. If an empty object
3292								// is provided the public instance of Rekor
3293								// (https://rekor.sigstore.dev) is used.
3294								"rekor"?: {
3295									// IgnoreTlog skips transparency log verification.
3296									"ignoreTlog"?: bool
3297
3298									// RekorPubKey is an optional PEM-encoded public key to use for a
3299									// custom Rekor.
3300									// If set, this will be used to validate transparency log
3301									// signatures from a custom Rekor.
3302									"pubkey"?: string
3303
3304									// URL is the address of the transparency log. Defaults to the
3305									// public Rekor log instance https://rekor.sigstore.dev.
3306									"url"?: string
3307								}
3308
3309								// Roots is an optional set of PEM encoded trusted root
3310								// certificates.
3311								// If not provided, the system roots are used.
3312								"roots"?: string
3313
3314								// Subject is the verified identity used for keyless signing, for
3315								// example the email address.
3316								"subject"?: string
3317
3318								// SubjectRegExp is the regular expression to match identity used
3319								// for keyless signing, for example the email address.
3320								"subjectRegExp"?: string
3321							}
3322
3323							// Keys specifies one or more public keys.
3324							"keys"?: {
3325								// CTLog (certificate timestamp log) provides a configuration for
3326								// validation of Signed Certificate
3327								// Timestamps (SCTs). If the value is unset, the default behavior
3328								// by Cosign is used.
3329								"ctlog"?: {
3330									// IgnoreSCT defines whether to use the Signed Certificate
3331									// Timestamp (SCT) log to check for a certificate
3332									// timestamp. Default is false. Set to true if this was opted out
3333									// during signing.
3334									"ignoreSCT"?: bool
3335
3336									// PubKey, if set, is used to validate SCTs against a custom
3337									// source.
3338									"pubkey"?: string
3339
3340									// TSACertChain, if set, is the PEM-encoded certificate chain file
3341									// for the RFC3161 timestamp authority. Must
3342									// contain the root CA certificate. Optionally may contain
3343									// intermediate CA certificates, and
3344									// may contain the leaf TSA certificate if not present in the
3345									// timestamurce.
3346									"tsaCertChain"?: string
3347								}
3348
3349								// KMS provides the URI to the public key stored in a Key
3350								// Management System. See:
3351								// https://github.com/sigstore/cosign/blob/main/KMS.md
3352								"kms"?: string
3353
3354								// Keys is a set of X.509 public keys used to verify image
3355								// signatures. The keys can be directly
3356								// specified or can be a variable reference to a key specified in
3357								// a ConfigMap (see
3358								// https://kyverno.io/docs/writing-policies/variables/), or
3359								// reference a standard Kubernetes Secret
3360								// elsewhere in the cluster by specifying it in the format
3361								// "k8s://<namespace>/<secret_name>".
3362								// The named Secret must specify a key `cosign.pub` containing the
3363								// public key used for
3364								// verification, (see
3365								// https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
3366								// When multiple keys are specified each key is processed as a
3367								// separate staticKey entry
3368								// (.attestors[*].entries.keys) within the set of attestors and
3369								// the count is applied across the keys.
3370								"publicKeys"?: string
3371
3372								// Rekor provides configuration for the Rekor transparency log
3373								// service. If an empty object
3374								// is provided the public instance of Rekor
3375								// (https://rekor.sigstore.dev) is used.
3376								"rekor"?: {
3377									// IgnoreTlog skips transparency log verification.
3378									"ignoreTlog"?: bool
3379
3380									// RekorPubKey is an optional PEM-encoded public key to use for a
3381									// custom Rekor.
3382									// If set, this will be used to validate transparency log
3383									// signatures from a custom Rekor.
3384									"pubkey"?: string
3385
3386									// URL is the address of the transparency log. Defaults to the
3387									// public Rekor log instance https://rekor.sigstore.dev.
3388									"url"?: string
3389								}
3390
3391								// Reference to a Secret resource that contains a public key
3392								"secret"?: {
3393									// Name of the secret. The provided secret must contain a key
3394									// named cosign.pub.
3395									"name"!: string
3396
3397									// Namespace name where the Secret exists.
3398									"namespace"!: string
3399								}
3400
3401								// Deprecated. Use attestor.signatureAlgorithm instead.
3402								"signatureAlgorithm"?: string
3403							}
3404
3405							// Repository is an optional alternate OCI repository to use for
3406							// signatures and attestations that match this rule.
3407							// If specified Repository will override other OCI image
3408							// repository locations for this Attestor.
3409							"repository"?: string
3410
3411							// Specify signature algorithm for public keys. Supported values
3412							// are sha224, sha256, sha384 and sha512.
3413							"signatureAlgorithm"?: string
3414						}]
3415					}]
3416
3417					// Conditions are used to verify attributes within a Predicate. If
3418					// no Conditions are specified
3419					// the attestation check is satisfied as long there are predicates
3420					// that match the predicate type.
3421					"conditions"?: [...{
3422						// AllConditions enable variable-based conditional rule execution.
3423						// This is useful for
3424						// finer control of when an rule is applied. A condition can
3425						// reference object data
3426						// using JMESPath notation.
3427						// Here, all of the conditions need to pass
3428						"all"?: [...{
3429							// Key is the context entry (using JMESPath) for conditional rule
3430							// evaluation.
3431							"key"?: null | bool | number | string | [...] | {
3432								...
3433							}
3434
3435							// Message is an optional display message
3436							"message"?: string
3437
3438							// Operator is the conditional operation to perform. Valid
3439							// operators are:
3440							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
3441							// GreaterThanOrEquals,
3442							// GreaterThan, LessThanOrEquals, LessThan,
3443							// DurationGreaterThanOrEquals, DurationGreaterThan,
3444							// DurationLessThanOrEquals, DurationLessThan
3445							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
3446
3447							// Value is the conditional value, or set of values. The values
3448							// can be fixed set
3449							// or can be variables declared using JMESPath.
3450							"value"?: null | bool | number | string | [...] | {
3451								...
3452							}
3453						}]
3454
3455						// AnyConditions enable variable-based conditional rule execution.
3456						// This is useful for
3457						// finer control of when an rule is applied. A condition can
3458						// reference object data
3459						// using JMESPath notation.
3460						// Here, at least one of the conditions need to pass
3461						"any"?: [...{
3462							// Key is the context entry (using JMESPath) for conditional rule
3463							// evaluation.
3464							"key"?: null | bool | number | string | [...] | {
3465								...
3466							}
3467
3468							// Message is an optional display message
3469							"message"?: string
3470
3471							// Operator is the conditional operation to perform. Valid
3472							// operators are:
3473							// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
3474							// GreaterThanOrEquals,
3475							// GreaterThan, LessThanOrEquals, LessThan,
3476							// DurationGreaterThanOrEquals, DurationGreaterThan,
3477							// DurationLessThanOrEquals, DurationLessThan
3478							"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
3479
3480							// Value is the conditional value, or set of values. The values
3481							// can be fixed set
3482							// or can be variables declared using JMESPath.
3483							"value"?: null | bool | number | string | [...] | {
3484								...
3485							}
3486						}]
3487					}]
3488
3489					// Name is the variable name.
3490					"name"?: string
3491
3492					// Deprecated in favour of 'Type', to be removed soon
3493					"predicateType"?: string
3494
3495					// Type defines the type of attestation contained within the
3496					// Statement.
3497					"type"?: string
3498				}]
3499
3500				// Attestors specified the required attestors (i.e. authorities)
3501				"attestors"?: [...{
3502					// Count specifies the required number of entries that must match.
3503					// If the count is null, all entries must match
3504					// (a logical AND). If the count is 1, at least one entry must
3505					// match (a logical OR). If the count contains a
3506					// value N, then N must be less than or equal to the size of
3507					// entries, and at least N entries must match.
3508					"count"?: int & >=1
3509
3510					// Entries contains the available attestors. An attestor can be a
3511					// static key,
3512					// attributes for keyless verification, or a nested attestor
3513					// declaration.
3514					"entries"?: [...{
3515						// Annotations are used for image verification.
3516						// Every specified key-value pair must exist and match in the
3517						// verified payload.
3518						// The payload may contain other key-value pairs.
3519						"annotations"?: [string]: string
3520
3521						// Attestor is a nested set of Attestor used to specify a more
3522						// complex set of match authorities.
3523						"attestor"?: null | bool | number | string | [...] | {
3524							...
3525						}
3526
3527						// Certificates specifies one or more certificates.
3528						"certificates"?: {
3529							// Cert is an optional PEM-encoded public certificate.
3530							"cert"?: string
3531
3532							// CertChain is an optional PEM encoded set of certificates used
3533							// to verify.
3534							"certChain"?: string
3535
3536							// CTLog (certificate timestamp log) provides a configuration for
3537							// validation of Signed Certificate
3538							// Timestamps (SCTs). If the value is unset, the default behavior
3539							// by Cosign is used.
3540							"ctlog"?: {
3541								// IgnoreSCT defines whether to use the Signed Certificate
3542								// Timestamp (SCT) log to check for a certificate
3543								// timestamp. Default is false. Set to true if this was opted out
3544								// during signing.
3545								"ignoreSCT"?: bool
3546
3547								// PubKey, if set, is used to validate SCTs against a custom
3548								// source.
3549								"pubkey"?: string
3550
3551								// TSACertChain, if set, is the PEM-encoded certificate chain file
3552								// for the RFC3161 timestamp authority. Must
3553								// contain the root CA certificate. Optionally may contain
3554								// intermediate CA certificates, and
3555								// may contain the leaf TSA certificate if not present in the
3556								// timestamurce.
3557								"tsaCertChain"?: string
3558							}
3559
3560							// Rekor provides configuration for the Rekor transparency log
3561							// service. If an empty object
3562							// is provided the public instance of Rekor
3563							// (https://rekor.sigstore.dev) is used.
3564							"rekor"?: {
3565								// IgnoreTlog skips transparency log verification.
3566								"ignoreTlog"?: bool
3567
3568								// RekorPubKey is an optional PEM-encoded public key to use for a
3569								// custom Rekor.
3570								// If set, this will be used to validate transparency log
3571								// signatures from a custom Rekor.
3572								"pubkey"?: string
3573
3574								// URL is the address of the transparency log. Defaults to the
3575								// public Rekor log instance https://rekor.sigstore.dev.
3576								"url"?: string
3577							}
3578						}
3579
3580						// Keyless is a set of attribute used to verify a Sigstore keyless
3581						// attestor.
3582						// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
3583						"keyless"?: {
3584							// AdditionalExtensions are certificate-extensions used for
3585							// keyless signing.
3586							"additionalExtensions"?: [string]: string
3587
3588							// CTLog (certificate timestamp log) provides a configuration for
3589							// validation of Signed Certificate
3590							// Timestamps (SCTs). If the value is unset, the default behavior
3591							// by Cosign is used.
3592							"ctlog"?: {
3593								// IgnoreSCT defines whether to use the Signed Certificate
3594								// Timestamp (SCT) log to check for a certificate
3595								// timestamp. Default is false. Set to true if this was opted out
3596								// during signing.
3597								"ignoreSCT"?: bool
3598
3599								// PubKey, if set, is used to validate SCTs against a custom
3600								// source.
3601								"pubkey"?: string
3602
3603								// TSACertChain, if set, is the PEM-encoded certificate chain file
3604								// for the RFC3161 timestamp authority. Must
3605								// contain the root CA certificate. Optionally may contain
3606								// intermediate CA certificates, and
3607								// may contain the leaf TSA certificate if not present in the
3608								// timestamurce.
3609								"tsaCertChain"?: string
3610							}
3611
3612							// Issuer is the certificate issuer used for keyless signing.
3613							"issuer"?: string
3614
3615							// IssuerRegExp is the regular expression to match certificate
3616							// issuer used for keyless signing.
3617							"issuerRegExp"?: string
3618
3619							// Rekor provides configuration for the Rekor transparency log
3620							// service. If an empty object
3621							// is provided the public instance of Rekor
3622							// (https://rekor.sigstore.dev) is used.
3623							"rekor"?: {
3624								// IgnoreTlog skips transparency log verification.
3625								"ignoreTlog"?: bool
3626
3627								// RekorPubKey is an optional PEM-encoded public key to use for a
3628								// custom Rekor.
3629								// If set, this will be used to validate transparency log
3630								// signatures from a custom Rekor.
3631								"pubkey"?: string
3632
3633								// URL is the address of the transparency log. Defaults to the
3634								// public Rekor log instance https://rekor.sigstore.dev.
3635								"url"?: string
3636							}
3637
3638							// Roots is an optional set of PEM encoded trusted root
3639							// certificates.
3640							// If not provided, the system roots are used.
3641							"roots"?: string
3642
3643							// Subject is the verified identity used for keyless signing, for
3644							// example the email address.
3645							"subject"?: string
3646
3647							// SubjectRegExp is the regular expression to match identity used
3648							// for keyless signing, for example the email address.
3649							"subjectRegExp"?: string
3650						}
3651
3652						// Keys specifies one or more public keys.
3653						"keys"?: {
3654							// CTLog (certificate timestamp log) provides a configuration for
3655							// validation of Signed Certificate
3656							// Timestamps (SCTs). If the value is unset, the default behavior
3657							// by Cosign is used.
3658							"ctlog"?: {
3659								// IgnoreSCT defines whether to use the Signed Certificate
3660								// Timestamp (SCT) log to check for a certificate
3661								// timestamp. Default is false. Set to true if this was opted out
3662								// during signing.
3663								"ignoreSCT"?: bool
3664
3665								// PubKey, if set, is used to validate SCTs against a custom
3666								// source.
3667								"pubkey"?: string
3668
3669								// TSACertChain, if set, is the PEM-encoded certificate chain file
3670								// for the RFC3161 timestamp authority. Must
3671								// contain the root CA certificate. Optionally may contain
3672								// intermediate CA certificates, and
3673								// may contain the leaf TSA certificate if not present in the
3674								// timestamurce.
3675								"tsaCertChain"?: string
3676							}
3677
3678							// KMS provides the URI to the public key stored in a Key
3679							// Management System. See:
3680							// https://github.com/sigstore/cosign/blob/main/KMS.md
3681							"kms"?: string
3682
3683							// Keys is a set of X.509 public keys used to verify image
3684							// signatures. The keys can be directly
3685							// specified or can be a variable reference to a key specified in
3686							// a ConfigMap (see
3687							// https://kyverno.io/docs/writing-policies/variables/), or
3688							// reference a standard Kubernetes Secret
3689							// elsewhere in the cluster by specifying it in the format
3690							// "k8s://<namespace>/<secret_name>".
3691							// The named Secret must specify a key `cosign.pub` containing the
3692							// public key used for
3693							// verification, (see
3694							// https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
3695							// When multiple keys are specified each key is processed as a
3696							// separate staticKey entry
3697							// (.attestors[*].entries.keys) within the set of attestors and
3698							// the count is applied across the keys.
3699							"publicKeys"?: string
3700
3701							// Rekor provides configuration for the Rekor transparency log
3702							// service. If an empty object
3703							// is provided the public instance of Rekor
3704							// (https://rekor.sigstore.dev) is used.
3705							"rekor"?: {
3706								// IgnoreTlog skips transparency log verification.
3707								"ignoreTlog"?: bool
3708
3709								// RekorPubKey is an optional PEM-encoded public key to use for a
3710								// custom Rekor.
3711								// If set, this will be used to validate transparency log
3712								// signatures from a custom Rekor.
3713								"pubkey"?: string
3714
3715								// URL is the address of the transparency log. Defaults to the
3716								// public Rekor log instance https://rekor.sigstore.dev.
3717								"url"?: string
3718							}
3719
3720							// Reference to a Secret resource that contains a public key
3721							"secret"?: {
3722								// Name of the secret. The provided secret must contain a key
3723								// named cosign.pub.
3724								"name"!: string
3725
3726								// Namespace name where the Secret exists.
3727								"namespace"!: string
3728							}
3729
3730							// Deprecated. Use attestor.signatureAlgorithm instead.
3731							"signatureAlgorithm"?: string
3732						}
3733
3734						// Repository is an optional alternate OCI repository to use for
3735						// signatures and attestations that match this rule.
3736						// If specified Repository will override other OCI image
3737						// repository locations for this Attestor.
3738						"repository"?: string
3739
3740						// Specify signature algorithm for public keys. Supported values
3741						// are sha224, sha256, sha384 and sha512.
3742						"signatureAlgorithm"?: string
3743					}]
3744				}]
3745
3746				// Allowed values are Audit or Enforce.
3747				"failureAction"?: "Audit" | "Enforce"
3748
3749				// ImageReferences is a list of matching image reference patterns.
3750				// At least one pattern in the
3751				// list must match the image for the rule to apply. Each image
3752				// reference consists of a registry
3753				// address (defaults to docker.io), repository, image, and tag
3754				// (defaults to latest).
3755				// Wildcards ('*' and '?') are allowed. See:
3756				// https://kubernetes.io/docs/concepts/containers/images.
3757				"imageReferences"?: [...string]
3758
3759				// ImageRegistryCredentials provides credentials that will be used
3760				// for authentication with registry
3761				"imageRegistryCredentials"?: {
3762					// AllowInsecureRegistry allows insecure access to a registry.
3763					"allowInsecureRegistry"?: bool
3764
3765					// Providers specifies a list of OCI Registry names, whose
3766					// authentication providers are provided.
3767					// It can be of one of these values:
3768					// default,google,azure,amazon,github.
3769					"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
3770
3771					// Secrets specifies a list of secrets that are provided for
3772					// credentials.
3773					// Secrets must live in the Kyverno namespace.
3774					"secrets"?: [...string]
3775				}
3776
3777				// MutateDigest enables replacement of image tags with digests.
3778				// Defaults to true.
3779				"mutateDigest"?: bool
3780
3781				// Repository is an optional alternate OCI repository to use for
3782				// image signatures and attestations that match this rule.
3783				// If specified Repository will override the default OCI image
3784				// repository configured for the installation.
3785				// The repository can also be overridden per Attestor or
3786				// Attestation.
3787				"repository"?: string
3788
3789				// Required validates that images are verified i.e. have matched
3790				// passed a signature or attestation check.
3791				"required"?: bool
3792
3793				// SkipImageReferences is a list of matching image reference
3794				// patterns that should be skipped.
3795				// At least one pattern in the list must match the image for the
3796				// rule to be skipped. Each image reference
3797				// consists of a registry address (defaults to docker.io),
3798				// repository, image, and tag (defaults to latest).
3799				// Wildcards ('*' and '?') are allowed. See:
3800				// https://kubernetes.io/docs/concepts/containers/images.
3801				"skipImageReferences"?: [...string]
3802
3803				// Type specifies the method of signature validation. The allowed
3804				// options
3805				// are Cosign and Notary. By default Cosign is used if a type is
3806				// not specified.
3807				"type"?: "Cosign" | "SigstoreBundle" | "Notary"
3808
3809				// UseCache enables caching of image verify responses for this
3810				// rule
3811				"useCache"?: bool
3812
3813				// Validation checks conditions across multiple image
3814				// verification attestations or context entries
3815				"validate"?: {
3816					// Deny defines conditions used to pass or fail a validation rule.
3817					"deny"?: {
3818						// Multiple conditions can be declared under an `any` or `all`
3819						// statement. A direct list
3820						// of conditions (without `any` or `all` statements) is also
3821						// supported for backwards compatibility
3822						// but will be deprecated in the next major release.
3823						// See:
3824						// https://kyverno.io/docs/writing-policies/validate/#deny-rules
3825						"conditions"?: null | bool | number | string | [...] | {
3826							...
3827						}
3828					}
3829
3830					// Message specifies a custom message to be displayed on failure.
3831					"message"?: string
3832				}
3833
3834				// VerifyDigest validates that images have a digest.
3835				"verifyDigest"?: bool
3836			}]
3837		}]
3838
3839		// Deprecated.
3840		"schemaValidation"?: bool
3841
3842		// UseServerSideApply controls whether to use server-side apply
3843		// for generate rules
3844		// If is set to "true" create & update for generate rules will use
3845		// apply instead of create/update.
3846		// Defaults to "false" if not specified.
3847		"useServerSideApply"?: bool
3848
3849		// Deprecated, use validationFailureAction under the validate rule
3850		// instead.
3851		"validationFailureAction"?: "audit" | "enforce" | "Audit" | "Enforce"
3852
3853		// Deprecated, use validationFailureActionOverrides under the
3854		// validate rule instead.
3855		"validationFailureActionOverrides"?: [...{
3856			// ValidationFailureAction defines the policy validation failure
3857			// action
3858			"action"?: "audit" | "enforce" | "Audit" | "Enforce"
3859
3860			// A label selector is a label query over a set of resources. The
3861			// result of matchLabels and
3862			// matchExpressions are ANDed. An empty label selector matches all
3863			// objects. A null
3864			// label selector matches no objects.
3865			"namespaceSelector"?: {
3866				// matchExpressions is a list of label selector requirements. The
3867				// requirements are ANDed.
3868				"matchExpressions"?: [...{
3869					// key is the label key that the selector applies to.
3870					"key"!: string
3871
3872					// operator represents a key's relationship to a set of values.
3873					// Valid operators are In, NotIn, Exists and DoesNotExist.
3874					"operator"!: string
3875
3876					// values is an array of string values. If the operator is In or
3877					// NotIn,
3878					// the values array must be non-empty. If the operator is Exists
3879					// or DoesNotExist,
3880					// the values array must be empty. This array is replaced during a
3881					// strategic
3882					// merge patch.
3883					"values"?: [...string]
3884				}]
3885
3886				// matchLabels is a map of {key,value} pairs. A single {key,value}
3887				// in the matchLabels
3888				// map is equivalent to an element of matchExpressions, whose key
3889				// field is "key", the
3890				// operator is "In", and the values array contains only "value".
3891				// The requirements are ANDed.
3892				"matchLabels"?: {
3893					[string]: string
3894				}
3895			}
3896			"namespaces"?: [...string]
3897		}]
3898
3899		// WebhookConfiguration specifies the custom configuration for
3900		// Kubernetes admission webhookconfiguration.
3901		"webhookConfiguration"?: {
3902			// FailurePolicy defines how unexpected policy errors and webhook
3903			// response timeout errors are handled.
3904			// Rules within the same policy share the same failure behavior.
3905			// This field should not be accessed directly, instead
3906			// `GetFailurePolicy()` should be used.
3907			// Allowed values are Ignore or Fail. Defaults to Fail.
3908			"failurePolicy"?: "Ignore" | "Fail"
3909
3910			// MatchCondition configures admission webhook matchConditions.
3911			// Requires Kubernetes 1.27 or later.
3912			"matchConditions"?: [...{
3913				// Expression represents the expression which will be evaluated by
3914				// CEL. Must evaluate to bool.
3915				// CEL expressions have access to the contents of the
3916				// AdmissionRequest and Authorizer, organized into CEL variables:
3917				//
3918				// 'object' - The object from the incoming request. The value is
3919				// null for DELETE requests.
3920				// 'oldObject' - The existing object. The value is null for CREATE
3921				// requests.
3922				// 'request' - Attributes of the admission
3923				// request(/pkg/apis/admission/types.go#AdmissionRequest).
3924				// 'authorizer' - A CEL Authorizer. May be used to perform
3925				// authorization checks for the principal (user or service
3926				// account) of the request.
3927				// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
3928				// 'authorizer.requestResource' - A CEL ResourceCheck constructed
3929				// from the 'authorizer' and configured with the
3930				// request resource.
3931				// Documentation on CEL:
3932				// https://kubernetes.io/docs/reference/using-api/cel/
3933				//
3934				// Required.
3935				"expression"!: string
3936
3937				// Name is an identifier for this match condition, used for
3938				// strategic merging of MatchConditions,
3939				// as well as providing an identifier for logging purposes. A good
3940				// name should be descriptive of
3941				// the associated expression.
3942				// Name must be a qualified name consisting of alphanumeric
3943				// characters, '-', '_' or '.', and
3944				// must start and end with an alphanumeric character (e.g.
3945				// 'MyName', or 'my.name', or
3946				// '123-abc', regex used for validation is
3947				// '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
3948				// optional DNS subdomain prefix and '/' (e.g.
3949				// 'example.com/MyName')
3950				//
3951				// Required.
3952				"name"!: string
3953			}]
3954
3955			// TimeoutSeconds specifies the maximum time in seconds allowed to
3956			// apply this policy.
3957			// After the configured time expires, the admission request may
3958			// fail, or may simply ignore the policy results,
3959			// based on the failure policy. The default timeout is 10s, the
3960			// value must be between 1 and 30 seconds.
3961			"timeoutSeconds"?: int32 & int
3962		}
3963
3964		// Deprecated, use webhookTimeoutSeconds under
3965		// webhookConfiguration instead.
3966		"webhookTimeoutSeconds"?: int32 & int
3967	}
3968
3969	// Status contains policy runtime data.
3970	"status"?: {
3971		// AutogenStatus contains autogen status information.
3972		"autogen"?: {
3973			// Rules is a list of Rule instances. It contains auto generated
3974			// rules added for pod controllers
3975			"rules"?: [...{
3976				// CELPreconditions are used to determine if a policy rule should
3977				// be applied by evaluating a
3978				// set of CEL conditions. It can only be used with the
3979				// validate.cel subrule
3980				"celPreconditions"?: [...{
3981					// Expression represents the expression which will be evaluated by
3982					// CEL. Must evaluate to bool.
3983					// CEL expressions have access to the contents of the
3984					// AdmissionRequest and Authorizer, organized into CEL variables:
3985					//
3986					// 'object' - The object from the incoming request. The value is
3987					// null for DELETE requests.
3988					// 'oldObject' - The existing object. The value is null for CREATE
3989					// requests.
3990					// 'request' - Attributes of the admission
3991					// request(/pkg/apis/admission/types.go#AdmissionRequest).
3992					// 'authorizer' - A CEL Authorizer. May be used to perform
3993					// authorization checks for the principal (user or service
3994					// account) of the request.
3995					// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
3996					// 'authorizer.requestResource' - A CEL ResourceCheck constructed
3997					// from the 'authorizer' and configured with the
3998					// request resource.
3999					// Documentation on CEL:
4000					// https://kubernetes.io/docs/reference/using-api/cel/
4001					//
4002					// Required.
4003					"expression"!: string
4004
4005					// Name is an identifier for this match condition, used for
4006					// strategic merging of MatchConditions,
4007					// as well as providing an identifier for logging purposes. A good
4008					// name should be descriptive of
4009					// the associated expression.
4010					// Name must be a qualified name consisting of alphanumeric
4011					// characters, '-', '_' or '.', and
4012					// must start and end with an alphanumeric character (e.g.
4013					// 'MyName', or 'my.name', or
4014					// '123-abc', regex used for validation is
4015					// '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
4016					// optional DNS subdomain prefix and '/' (e.g.
4017					// 'example.com/MyName')
4018					//
4019					// Required.
4020					"name"!: string
4021				}]
4022
4023				// Context defines variables and data sources that can be used
4024				// during rule execution.
4025				"context"?: [...matchN(1, [{
4026					"configMap"!: _
4027				}, {
4028					"apiCall"!: _
4029				}, {
4030					"imageRegistry"!: _
4031				}, {
4032					"variable"!: _
4033				}, {
4034					"globalReference"!: _
4035				}]) & {
4036					// APICall is an HTTP request to the Kubernetes API server, or
4037					// other JSON web service.
4038					// The data returned is stored in the context with the name for
4039					// the context entry.
4040					"apiCall"?: {
4041						// The data object specifies the POST data sent to the server.
4042						// Only applicable when the method field is set to POST.
4043						"data"?: [...{
4044							// Key is a unique identifier for the data value
4045							"key"!: string
4046
4047							// Value is the data value
4048							"value"!: null | bool | number | string | [...] | {
4049								...
4050							}
4051						}]
4052
4053						// Default is an optional arbitrary JSON object that the context
4054						// value is set to, if the apiCall returns error.
4055						"default"?: null | bool | number | string | [...] | {
4056							...
4057						}
4058
4059						// JMESPath is an optional JSON Match Expression that can be used
4060						// to
4061						// transform the JSON response returned from the server. For
4062						// example
4063						// a JMESPath of "items | length(@)" applied to the API server
4064						// response
4065						// for the URLPath "/apis/apps/v1/deployments" will return the
4066						// total count
4067						// of deployments across all namespaces.
4068						"jmesPath"?: string
4069
4070						// Method is the HTTP request type (GET or POST). Defaults to GET.
4071						"method"?: "GET" | "POST"
4072
4073						// Service is an API call to a JSON web service.
4074						// This is used for non-Kubernetes API server calls.
4075						// It's mutually exclusive with the URLPath field.
4076						"service"?: {
4077							// CABundle is a PEM encoded CA bundle which will be used to
4078							// validate
4079							// the server certificate.
4080							"caBundle"?: string
4081
4082							// Headers is a list of optional HTTP headers to be included in
4083							// the request.
4084							"headers"?: [...{
4085								// Key is the header key
4086								"key"!: string
4087
4088								// Value is the header value
4089								"value"!: string
4090							}]
4091
4092							// URL is the JSON web service URL. A typical form is
4093							// `https://{service}.{namespace}:{port}/{path}`.
4094							"url"!: string
4095						}
4096
4097						// URLPath is the URL path to be used in the HTTP GET or POST
4098						// request to the
4099						// Kubernetes API server (e.g. "/api/v1/namespaces" or
4100						// "/apis/apps/v1/deployments").
4101						// The format required is the same format used by the `kubectl get
4102						// --raw` command.
4103						// See
4104						// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
4105						// for details.
4106						// It's mutually exclusive with the Service field.
4107						"urlPath"?: string
4108					}
4109
4110					// ConfigMap is the ConfigMap reference.
4111					"configMap"?: {
4112						// Name is the ConfigMap name.
4113						"name"!: string
4114
4115						// Namespace is the ConfigMap namespace.
4116						"namespace"?: string
4117					}
4118
4119					// GlobalContextEntryReference is a reference to a cached global
4120					// context entry.
4121					"globalReference"?: {
4122						// JMESPath is an optional JSON Match Expression that can be used
4123						// to
4124						// transform the JSON response returned from the server. For
4125						// example
4126						// a JMESPath of "items | length(@)" applied to the API server
4127						// response
4128						// for the URLPath "/apis/apps/v1/deployments" will return the
4129						// total count
4130						// of deployments across all namespaces.
4131						"jmesPath"?: string
4132
4133						// Name of the global context entry
4134						"name"!: string
4135					}
4136
4137					// ImageRegistry defines requests to an OCI/Docker V2 registry to
4138					// fetch image
4139					// details.
4140					"imageRegistry"?: {
4141						// ImageRegistryCredentials provides credentials that will be used
4142						// for authentication with registry
4143						"imageRegistryCredentials"?: {
4144							// AllowInsecureRegistry allows insecure access to a registry.
4145							"allowInsecureRegistry"?: bool
4146
4147							// Providers specifies a list of OCI Registry names, whose
4148							// authentication providers are provided.
4149							// It can be of one of these values:
4150							// default,google,azure,amazon,github.
4151							"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
4152
4153							// Secrets specifies a list of secrets that are provided for
4154							// credentials.
4155							// Secrets must live in the Kyverno namespace.
4156							"secrets"?: [...string]
4157						}
4158
4159						// JMESPath is an optional JSON Match Expression that can be used
4160						// to
4161						// transform the ImageData struct returned as a result of
4162						// processing
4163						// the image reference.
4164						"jmesPath"?: string
4165
4166						// Reference is image reference to a container image in the
4167						// registry.
4168						// Example: ghcr.io/kyverno/kyverno:latest
4169						"reference"!: string
4170					}
4171
4172					// Name is the variable name.
4173					"name"!: string
4174
4175					// Variable defines an arbitrary JMESPath context variable that
4176					// can be defined inline.
4177					"variable"?: {
4178						// Default is an optional arbitrary JSON object that the variable
4179						// may take if the JMESPath
4180						// expression evaluates to nil
4181						"default"?: null | bool | number | string | [...] | {
4182							...
4183						}
4184
4185						// JMESPath is an optional JMESPath Expression that can be used to
4186						// transform the variable.
4187						"jmesPath"?: string
4188
4189						// Value is any arbitrary JSON object representable in YAML or
4190						// JSON form.
4191						"value"?: null | bool | number | string | [...] | {
4192							...
4193						}
4194					}
4195				}]
4196
4197				// ExcludeResources defines when this policy rule should not be
4198				// applied. The exclude
4199				// criteria can include resource information (e.g. kind, name,
4200				// namespace, labels)
4201				// and admission review request information like the name or role.
4202				"exclude"?: matchN(0, [null | bool | number | string | [...] | {
4203					"any"!: _
4204					"all"!: _
4205				}]) & {
4206					// All allows specifying resources which will be ANDed
4207					"all"?: [...{
4208						// ClusterRoles is the list of cluster-wide role names for the
4209						// user.
4210						"clusterRoles"?: [...string]
4211
4212						// ResourceDescription contains information about the resource
4213						// being created or modified.
4214						"resources"?: matchN(0, [null | bool | number | string | [...] | {
4215							"name"!:  _
4216							"names"!: _
4217						}]) & {
4218							// Annotations is a map of annotations (key-value pairs of type
4219							// string). Annotation keys
4220							// and values support the wildcard characters "*" (matches zero or
4221							// many characters) and
4222							// "?" (matches at least one character).
4223							"annotations"?: [string]: string
4224
4225							// Kinds is a list of resource kinds.
4226							"kinds"?: [...string]
4227
4228							// Name is the name of the resource. The name supports wildcard
4229							// characters
4230							// "*" (matches zero or many characters) and "?" (at least one
4231							// character).
4232							// NOTE: "Name" is being deprecated in favor of "Names".
4233							"name"?: string
4234
4235							// Names are the names of the resources. Each name supports
4236							// wildcard characters
4237							// "*" (matches zero or many characters) and "?" (at least one
4238							// character).
4239							"names"?: [...string]
4240
4241							// NamespaceSelector is a label selector for the resource
4242							// namespace. Label keys and values
4243							// in `matchLabels` support the wildcard characters `*` (matches
4244							// zero or many characters)
4245							// and `?` (matches one character).Wildcards allows writing label
4246							// selectors like
4247							// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
4248							// any key and value but
4249							// does not match an empty label set.
4250							"namespaceSelector"?: {
4251								// matchExpressions is a list of label selector requirements. The
4252								// requirements are ANDed.
4253								"matchExpressions"?: [...{
4254									// key is the label key that the selector applies to.
4255									"key"!: string
4256
4257									// operator represents a key's relationship to a set of values.
4258									// Valid operators are In, NotIn, Exists and DoesNotExist.
4259									"operator"!: string
4260
4261									// values is an array of string values. If the operator is In or
4262									// NotIn,
4263									// the values array must be non-empty. If the operator is Exists
4264									// or DoesNotExist,
4265									// the values array must be empty. This array is replaced during a
4266									// strategic
4267									// merge patch.
4268									"values"?: [...string]
4269								}]
4270
4271								// matchLabels is a map of {key,value} pairs. A single {key,value}
4272								// in the matchLabels
4273								// map is equivalent to an element of matchExpressions, whose key
4274								// field is "key", the
4275								// operator is "In", and the values array contains only "value".
4276								// The requirements are ANDed.
4277								"matchLabels"?: {
4278									[string]: string
4279								}
4280							}
4281
4282							// Namespaces is a list of namespaces names. Each name supports
4283							// wildcard characters
4284							// "*" (matches zero or many characters) and "?" (at least one
4285							// character).
4286							"namespaces"?: [...string]
4287
4288							// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
4289							// "DELETE"], which are used to match a specific action.
4290							"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
4291
4292							// Selector is a label selector. Label keys and values in
4293							// `matchLabels` support the wildcard
4294							// characters `*` (matches zero or many characters) and `?`
4295							// (matches one character).
4296							// Wildcards allows writing label selectors like
4297							// ["storage.k8s.io/*": "*"]. Note that
4298							// using ["*" : "*"] matches any key and value but does not match
4299							// an empty label set.
4300							"selector"?: {
4301								// matchExpressions is a list of label selector requirements. The
4302								// requirements are ANDed.
4303								"matchExpressions"?: [...{
4304									// key is the label key that the selector applies to.
4305									"key"!: string
4306
4307									// operator represents a key's relationship to a set of values.
4308									// Valid operators are In, NotIn, Exists and DoesNotExist.
4309									"operator"!: string
4310
4311									// values is an array of string values. If the operator is In or
4312									// NotIn,
4313									// the values array must be non-empty. If the operator is Exists
4314									// or DoesNotExist,
4315									// the values array must be empty. This array is replaced during a
4316									// strategic
4317									// merge patch.
4318									"values"?: [...string]
4319								}]
4320
4321								// matchLabels is a map of {key,value} pairs. A single {key,value}
4322								// in the matchLabels
4323								// map is equivalent to an element of matchExpressions, whose key
4324								// field is "key", the
4325								// operator is "In", and the values array contains only "value".
4326								// The requirements are ANDed.
4327								"matchLabels"?: {
4328									[string]: string
4329								}
4330							}
4331						}
4332
4333						// Roles is the list of namespaced role names for the user.
4334						"roles"?: [...string]
4335
4336						// Subjects is the list of subject names like users, user groups,
4337						// and service accounts.
4338						"subjects"?: [...{
4339							// APIGroup holds the API group of the referenced subject.
4340							// Defaults to "" for ServiceAccount subjects.
4341							// Defaults to "rbac.authorization.k8s.io" for User and Group
4342							// subjects.
4343							"apiGroup"?: string
4344
4345							// Kind of object being referenced. Values defined by this API
4346							// group are "User", "Group", and "ServiceAccount".
4347							// If the Authorizer does not recognized the kind value, the
4348							// Authorizer should report an error.
4349							"kind"!: string
4350
4351							// Name of the object being referenced.
4352							"name"!: string
4353
4354							// Namespace of the referenced object. If the object kind is
4355							// non-namespace, such as "User" or "Group", and this value is
4356							// not empty
4357							// the Authorizer should report an error.
4358							"namespace"?: string
4359						}]
4360					}]
4361
4362					// Any allows specifying resources which will be ORed
4363					"any"?: [...{
4364						// ClusterRoles is the list of cluster-wide role names for the
4365						// user.
4366						"clusterRoles"?: [...string]
4367
4368						// ResourceDescription contains information about the resource
4369						// being created or modified.
4370						"resources"?: matchN(0, [null | bool | number | string | [...] | {
4371							"name"!:  _
4372							"names"!: _
4373						}]) & {
4374							// Annotations is a map of annotations (key-value pairs of type
4375							// string). Annotation keys
4376							// and values support the wildcard characters "*" (matches zero or
4377							// many characters) and
4378							// "?" (matches at least one character).
4379							"annotations"?: [string]: string
4380
4381							// Kinds is a list of resource kinds.
4382							"kinds"?: [...string]
4383
4384							// Name is the name of the resource. The name supports wildcard
4385							// characters
4386							// "*" (matches zero or many characters) and "?" (at least one
4387							// character).
4388							// NOTE: "Name" is being deprecated in favor of "Names".
4389							"name"?: string
4390
4391							// Names are the names of the resources. Each name supports
4392							// wildcard characters
4393							// "*" (matches zero or many characters) and "?" (at least one
4394							// character).
4395							"names"?: [...string]
4396
4397							// NamespaceSelector is a label selector for the resource
4398							// namespace. Label keys and values
4399							// in `matchLabels` support the wildcard characters `*` (matches
4400							// zero or many characters)
4401							// and `?` (matches one character).Wildcards allows writing label
4402							// selectors like
4403							// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
4404							// any key and value but
4405							// does not match an empty label set.
4406							"namespaceSelector"?: {
4407								// matchExpressions is a list of label selector requirements. The
4408								// requirements are ANDed.
4409								"matchExpressions"?: [...{
4410									// key is the label key that the selector applies to.
4411									"key"!: string
4412
4413									// operator represents a key's relationship to a set of values.
4414									// Valid operators are In, NotIn, Exists and DoesNotExist.
4415									"operator"!: string
4416
4417									// values is an array of string values. If the operator is In or
4418									// NotIn,
4419									// the values array must be non-empty. If the operator is Exists
4420									// or DoesNotExist,
4421									// the values array must be empty. This array is replaced during a
4422									// strategic
4423									// merge patch.
4424									"values"?: [...string]
4425								}]
4426
4427								// matchLabels is a map of {key,value} pairs. A single {key,value}
4428								// in the matchLabels
4429								// map is equivalent to an element of matchExpressions, whose key
4430								// field is "key", the
4431								// operator is "In", and the values array contains only "value".
4432								// The requirements are ANDed.
4433								"matchLabels"?: {
4434									[string]: string
4435								}
4436							}
4437
4438							// Namespaces is a list of namespaces names. Each name supports
4439							// wildcard characters
4440							// "*" (matches zero or many characters) and "?" (at least one
4441							// character).
4442							"namespaces"?: [...string]
4443
4444							// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
4445							// "DELETE"], which are used to match a specific action.
4446							"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
4447
4448							// Selector is a label selector. Label keys and values in
4449							// `matchLabels` support the wildcard
4450							// characters `*` (matches zero or many characters) and `?`
4451							// (matches one character).
4452							// Wildcards allows writing label selectors like
4453							// ["storage.k8s.io/*": "*"]. Note that
4454							// using ["*" : "*"] matches any key and value but does not match
4455							// an empty label set.
4456							"selector"?: {
4457								// matchExpressions is a list of label selector requirements. The
4458								// requirements are ANDed.
4459								"matchExpressions"?: [...{
4460									// key is the label key that the selector applies to.
4461									"key"!: string
4462
4463									// operator represents a key's relationship to a set of values.
4464									// Valid operators are In, NotIn, Exists and DoesNotExist.
4465									"operator"!: string
4466
4467									// values is an array of string values. If the operator is In or
4468									// NotIn,
4469									// the values array must be non-empty. If the operator is Exists
4470									// or DoesNotExist,
4471									// the values array must be empty. This array is replaced during a
4472									// strategic
4473									// merge patch.
4474									"values"?: [...string]
4475								}]
4476
4477								// matchLabels is a map of {key,value} pairs. A single {key,value}
4478								// in the matchLabels
4479								// map is equivalent to an element of matchExpressions, whose key
4480								// field is "key", the
4481								// operator is "In", and the values array contains only "value".
4482								// The requirements are ANDed.
4483								"matchLabels"?: {
4484									[string]: string
4485								}
4486							}
4487						}
4488
4489						// Roles is the list of namespaced role names for the user.
4490						"roles"?: [...string]
4491
4492						// Subjects is the list of subject names like users, user groups,
4493						// and service accounts.
4494						"subjects"?: [...{
4495							// APIGroup holds the API group of the referenced subject.
4496							// Defaults to "" for ServiceAccount subjects.
4497							// Defaults to "rbac.authorization.k8s.io" for User and Group
4498							// subjects.
4499							"apiGroup"?: string
4500
4501							// Kind of object being referenced. Values defined by this API
4502							// group are "User", "Group", and "ServiceAccount".
4503							// If the Authorizer does not recognized the kind value, the
4504							// Authorizer should report an error.
4505							"kind"!: string
4506
4507							// Name of the object being referenced.
4508							"name"!: string
4509
4510							// Namespace of the referenced object. If the object kind is
4511							// non-namespace, such as "User" or "Group", and this value is
4512							// not empty
4513							// the Authorizer should report an error.
4514							"namespace"?: string
4515						}]
4516					}]
4517
4518					// ClusterRoles is the list of cluster-wide role names for the
4519					// user.
4520					"clusterRoles"?: [...string]
4521
4522					// ResourceDescription contains information about the resource
4523					// being created or modified.
4524					// Requires at least one tag to be specified when under
4525					// MatchResources.
4526					// Specifying ResourceDescription directly under match is being
4527					// deprecated.
4528					// Please specify under "any" or "all" instead.
4529					"resources"?: matchN(0, [null | bool | number | string | [...] | {
4530						"name"!:  _
4531						"names"!: _
4532					}]) & {
4533						// Annotations is a map of annotations (key-value pairs of type
4534						// string). Annotation keys
4535						// and values support the wildcard characters "*" (matches zero or
4536						// many characters) and
4537						// "?" (matches at least one character).
4538						"annotations"?: [string]: string
4539
4540						// Kinds is a list of resource kinds.
4541						"kinds"?: [...string]
4542
4543						// Name is the name of the resource. The name supports wildcard
4544						// characters
4545						// "*" (matches zero or many characters) and "?" (at least one
4546						// character).
4547						// NOTE: "Name" is being deprecated in favor of "Names".
4548						"name"?: string
4549
4550						// Names are the names of the resources. Each name supports
4551						// wildcard characters
4552						// "*" (matches zero or many characters) and "?" (at least one
4553						// character).
4554						"names"?: [...string]
4555
4556						// NamespaceSelector is a label selector for the resource
4557						// namespace. Label keys and values
4558						// in `matchLabels` support the wildcard characters `*` (matches
4559						// zero or many characters)
4560						// and `?` (matches one character).Wildcards allows writing label
4561						// selectors like
4562						// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
4563						// any key and value but
4564						// does not match an empty label set.
4565						"namespaceSelector"?: {
4566							// matchExpressions is a list of label selector requirements. The
4567							// requirements are ANDed.
4568							"matchExpressions"?: [...{
4569								// key is the label key that the selector applies to.
4570								"key"!: string
4571
4572								// operator represents a key's relationship to a set of values.
4573								// Valid operators are In, NotIn, Exists and DoesNotExist.
4574								"operator"!: string
4575
4576								// values is an array of string values. If the operator is In or
4577								// NotIn,
4578								// the values array must be non-empty. If the operator is Exists
4579								// or DoesNotExist,
4580								// the values array must be empty. This array is replaced during a
4581								// strategic
4582								// merge patch.
4583								"values"?: [...string]
4584							}]
4585
4586							// matchLabels is a map of {key,value} pairs. A single {key,value}
4587							// in the matchLabels
4588							// map is equivalent to an element of matchExpressions, whose key
4589							// field is "key", the
4590							// operator is "In", and the values array contains only "value".
4591							// The requirements are ANDed.
4592							"matchLabels"?: {
4593								[string]: string
4594							}
4595						}
4596
4597						// Namespaces is a list of namespaces names. Each name supports
4598						// wildcard characters
4599						// "*" (matches zero or many characters) and "?" (at least one
4600						// character).
4601						"namespaces"?: [...string]
4602
4603						// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
4604						// "DELETE"], which are used to match a specific action.
4605						"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
4606
4607						// Selector is a label selector. Label keys and values in
4608						// `matchLabels` support the wildcard
4609						// characters `*` (matches zero or many characters) and `?`
4610						// (matches one character).
4611						// Wildcards allows writing label selectors like
4612						// ["storage.k8s.io/*": "*"]. Note that
4613						// using ["*" : "*"] matches any key and value but does not match
4614						// an empty label set.
4615						"selector"?: {
4616							// matchExpressions is a list of label selector requirements. The
4617							// requirements are ANDed.
4618							"matchExpressions"?: [...{
4619								// key is the label key that the selector applies to.
4620								"key"!: string
4621
4622								// operator represents a key's relationship to a set of values.
4623								// Valid operators are In, NotIn, Exists and DoesNotExist.
4624								"operator"!: string
4625
4626								// values is an array of string values. If the operator is In or
4627								// NotIn,
4628								// the values array must be non-empty. If the operator is Exists
4629								// or DoesNotExist,
4630								// the values array must be empty. This array is replaced during a
4631								// strategic
4632								// merge patch.
4633								"values"?: [...string]
4634							}]
4635
4636							// matchLabels is a map of {key,value} pairs. A single {key,value}
4637							// in the matchLabels
4638							// map is equivalent to an element of matchExpressions, whose key
4639							// field is "key", the
4640							// operator is "In", and the values array contains only "value".
4641							// The requirements are ANDed.
4642							"matchLabels"?: {
4643								[string]: string
4644							}
4645						}
4646					}
4647
4648					// Roles is the list of namespaced role names for the user.
4649					"roles"?: [...string]
4650
4651					// Subjects is the list of subject names like users, user groups,
4652					// and service accounts.
4653					"subjects"?: [...{
4654						// APIGroup holds the API group of the referenced subject.
4655						// Defaults to "" for ServiceAccount subjects.
4656						// Defaults to "rbac.authorization.k8s.io" for User and Group
4657						// subjects.
4658						"apiGroup"?: string
4659
4660						// Kind of object being referenced. Values defined by this API
4661						// group are "User", "Group", and "ServiceAccount".
4662						// If the Authorizer does not recognized the kind value, the
4663						// Authorizer should report an error.
4664						"kind"!: string
4665
4666						// Name of the object being referenced.
4667						"name"!: string
4668
4669						// Namespace of the referenced object. If the object kind is
4670						// non-namespace, such as "User" or "Group", and this value is
4671						// not empty
4672						// the Authorizer should report an error.
4673						"namespace"?: string
4674					}]
4675				}
4676
4677				// Generation is used to create new resources.
4678				"generate"?: {
4679					// APIVersion specifies resource apiVersion.
4680					"apiVersion"?: string
4681
4682					// Clone specifies the source resource used to populate each
4683					// generated resource.
4684					// At most one of Data or Clone can be specified. If neither are
4685					// provided, the generated
4686					// resource will be created with default data only.
4687					"clone"?: {
4688						// Name specifies name of the resource.
4689						"name"?: string
4690
4691						// Namespace specifies source resource namespace.
4692						"namespace"?: string
4693					}
4694
4695					// CloneList specifies the list of source resource used to
4696					// populate each generated resource.
4697					"cloneList"?: {
4698						// Kinds is a list of resource kinds.
4699						"kinds"?: [...string]
4700
4701						// Namespace specifies source resource namespace.
4702						"namespace"?: string
4703
4704						// Selector is a label selector. Label keys and values in
4705						// `matchLabels`.
4706						// wildcard characters are not supported.
4707						"selector"?: {
4708							// matchExpressions is a list of label selector requirements. The
4709							// requirements are ANDed.
4710							"matchExpressions"?: [...{
4711								// key is the label key that the selector applies to.
4712								"key"!: string
4713
4714								// operator represents a key's relationship to a set of values.
4715								// Valid operators are In, NotIn, Exists and DoesNotExist.
4716								"operator"!: string
4717
4718								// values is an array of string values. If the operator is In or
4719								// NotIn,
4720								// the values array must be non-empty. If the operator is Exists
4721								// or DoesNotExist,
4722								// the values array must be empty. This array is replaced during a
4723								// strategic
4724								// merge patch.
4725								"values"?: [...string]
4726							}]
4727
4728							// matchLabels is a map of {key,value} pairs. A single {key,value}
4729							// in the matchLabels
4730							// map is equivalent to an element of matchExpressions, whose key
4731							// field is "key", the
4732							// operator is "In", and the values array contains only "value".
4733							// The requirements are ANDed.
4734							"matchLabels"?: {
4735								[string]: string
4736							}
4737						}
4738					}
4739
4740					// Data provides the resource declaration used to populate each
4741					// generated resource.
4742					// At most one of Data or Clone must be specified. If neither are
4743					// provided, the generated
4744					// resource will be created with default data only.
4745					"data"?: null | bool | number | string | [...] | {
4746						...
4747					}
4748
4749					// ForEach applies generate rules to a list of sub-elements by
4750					// creating a context for each entry in the list and looping over
4751					// it to apply the specified logic.
4752					"foreach"?: [...{
4753						// APIVersion specifies resource apiVersion.
4754						"apiVersion"?: string
4755
4756						// Clone specifies the source resource used to populate each
4757						// generated resource.
4758						// At most one of Data or Clone can be specified. If neither are
4759						// provided, the generated
4760						// resource will be created with default data only.
4761						"clone"?: {
4762							// Name specifies name of the resource.
4763							"name"?: string
4764
4765							// Namespace specifies source resource namespace.
4766							"namespace"?: string
4767						}
4768
4769						// CloneList specifies the list of source resource used to
4770						// populate each generated resource.
4771						"cloneList"?: {
4772							// Kinds is a list of resource kinds.
4773							"kinds"?: [...string]
4774
4775							// Namespace specifies source resource namespace.
4776							"namespace"?: string
4777
4778							// Selector is a label selector. Label keys and values in
4779							// `matchLabels`.
4780							// wildcard characters are not supported.
4781							"selector"?: {
4782								// matchExpressions is a list of label selector requirements. The
4783								// requirements are ANDed.
4784								"matchExpressions"?: [...{
4785									// key is the label key that the selector applies to.
4786									"key"!: string
4787
4788									// operator represents a key's relationship to a set of values.
4789									// Valid operators are In, NotIn, Exists and DoesNotExist.
4790									"operator"!: string
4791
4792									// values is an array of string values. If the operator is In or
4793									// NotIn,
4794									// the values array must be non-empty. If the operator is Exists
4795									// or DoesNotExist,
4796									// the values array must be empty. This array is replaced during a
4797									// strategic
4798									// merge patch.
4799									"values"?: [...string]
4800								}]
4801
4802								// matchLabels is a map of {key,value} pairs. A single {key,value}
4803								// in the matchLabels
4804								// map is equivalent to an element of matchExpressions, whose key
4805								// field is "key", the
4806								// operator is "In", and the values array contains only "value".
4807								// The requirements are ANDed.
4808								"matchLabels"?: {
4809									[string]: string
4810								}
4811							}
4812						}
4813
4814						// Context defines variables and data sources that can be used
4815						// during rule execution.
4816						"context"?: [...matchN(1, [{
4817							"configMap"!: _
4818						}, {
4819							"apiCall"!: _
4820						}, {
4821							"imageRegistry"!: _
4822						}, {
4823							"variable"!: _
4824						}, {
4825							"globalReference"!: _
4826						}]) & {
4827							// APICall is an HTTP request to the Kubernetes API server, or
4828							// other JSON web service.
4829							// The data returned is stored in the context with the name for
4830							// the context entry.
4831							"apiCall"?: {
4832								// The data object specifies the POST data sent to the server.
4833								// Only applicable when the method field is set to POST.
4834								"data"?: [...{
4835									// Key is a unique identifier for the data value
4836									"key"!: string
4837
4838									// Value is the data value
4839									"value"!: null | bool | number | string | [...] | {
4840										...
4841									}
4842								}]
4843
4844								// Default is an optional arbitrary JSON object that the context
4845								// value is set to, if the apiCall returns error.
4846								"default"?: null | bool | number | string | [...] | {
4847									...
4848								}
4849
4850								// JMESPath is an optional JSON Match Expression that can be used
4851								// to
4852								// transform the JSON response returned from the server. For
4853								// example
4854								// a JMESPath of "items | length(@)" applied to the API server
4855								// response
4856								// for the URLPath "/apis/apps/v1/deployments" will return the
4857								// total count
4858								// of deployments across all namespaces.
4859								"jmesPath"?: string
4860
4861								// Method is the HTTP request type (GET or POST). Defaults to GET.
4862								"method"?: "GET" | "POST"
4863
4864								// Service is an API call to a JSON web service.
4865								// This is used for non-Kubernetes API server calls.
4866								// It's mutually exclusive with the URLPath field.
4867								"service"?: {
4868									// CABundle is a PEM encoded CA bundle which will be used to
4869									// validate
4870									// the server certificate.
4871									"caBundle"?: string
4872
4873									// Headers is a list of optional HTTP headers to be included in
4874									// the request.
4875									"headers"?: [...{
4876										// Key is the header key
4877										"key"!: string
4878
4879										// Value is the header value
4880										"value"!: string
4881									}]
4882
4883									// URL is the JSON web service URL. A typical form is
4884									// `https://{service}.{namespace}:{port}/{path}`.
4885									"url"!: string
4886								}
4887
4888								// URLPath is the URL path to be used in the HTTP GET or POST
4889								// request to the
4890								// Kubernetes API server (e.g. "/api/v1/namespaces" or
4891								// "/apis/apps/v1/deployments").
4892								// The format required is the same format used by the `kubectl get
4893								// --raw` command.
4894								// See
4895								// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
4896								// for details.
4897								// It's mutually exclusive with the Service field.
4898								"urlPath"?: string
4899							}
4900
4901							// ConfigMap is the ConfigMap reference.
4902							"configMap"?: {
4903								// Name is the ConfigMap name.
4904								"name"!: string
4905
4906								// Namespace is the ConfigMap namespace.
4907								"namespace"?: string
4908							}
4909
4910							// GlobalContextEntryReference is a reference to a cached global
4911							// context entry.
4912							"globalReference"?: {
4913								// JMESPath is an optional JSON Match Expression that can be used
4914								// to
4915								// transform the JSON response returned from the server. For
4916								// example
4917								// a JMESPath of "items | length(@)" applied to the API server
4918								// response
4919								// for the URLPath "/apis/apps/v1/deployments" will return the
4920								// total count
4921								// of deployments across all namespaces.
4922								"jmesPath"?: string
4923
4924								// Name of the global context entry
4925								"name"!: string
4926							}
4927
4928							// ImageRegistry defines requests to an OCI/Docker V2 registry to
4929							// fetch image
4930							// details.
4931							"imageRegistry"?: {
4932								// ImageRegistryCredentials provides credentials that will be used
4933								// for authentication with registry
4934								"imageRegistryCredentials"?: {
4935									// AllowInsecureRegistry allows insecure access to a registry.
4936									"allowInsecureRegistry"?: bool
4937
4938									// Providers specifies a list of OCI Registry names, whose
4939									// authentication providers are provided.
4940									// It can be of one of these values:
4941									// default,google,azure,amazon,github.
4942									"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
4943
4944									// Secrets specifies a list of secrets that are provided for
4945									// credentials.
4946									// Secrets must live in the Kyverno namespace.
4947									"secrets"?: [...string]
4948								}
4949
4950								// JMESPath is an optional JSON Match Expression that can be used
4951								// to
4952								// transform the ImageData struct returned as a result of
4953								// processing
4954								// the image reference.
4955								"jmesPath"?: string
4956
4957								// Reference is image reference to a container image in the
4958								// registry.
4959								// Example: ghcr.io/kyverno/kyverno:latest
4960								"reference"!: string
4961							}
4962
4963							// Name is the variable name.
4964							"name"!: string
4965
4966							// Variable defines an arbitrary JMESPath context variable that
4967							// can be defined inline.
4968							"variable"?: {
4969								// Default is an optional arbitrary JSON object that the variable
4970								// may take if the JMESPath
4971								// expression evaluates to nil
4972								"default"?: null | bool | number | string | [...] | {
4973									...
4974								}
4975
4976								// JMESPath is an optional JMESPath Expression that can be used to
4977								// transform the variable.
4978								"jmesPath"?: string
4979
4980								// Value is any arbitrary JSON object representable in YAML or
4981								// JSON form.
4982								"value"?: null | bool | number | string | [...] | {
4983									...
4984								}
4985							}
4986						}]
4987
4988						// Data provides the resource declaration used to populate each
4989						// generated resource.
4990						// At most one of Data or Clone must be specified. If neither are
4991						// provided, the generated
4992						// resource will be created with default data only.
4993						"data"?: null | bool | number | string | [...] | {
4994							...
4995						}
4996
4997						// Kind specifies resource kind.
4998						"kind"?: string
4999
5000						// List specifies a JMESPath expression that results in one or
5001						// more elements
5002						// to which the validation logic is applied.
5003						"list"?: string
5004
5005						// Name specifies the resource name.
5006						"name"?: string
5007
5008						// Namespace specifies resource namespace.
5009						"namespace"?: string
5010
5011						// AnyAllConditions are used to determine if a policy rule should
5012						// be applied by evaluating a
5013						// set of conditions. The declaration can contain nested `any` or
5014						// `all` statements.
5015						// See: https://kyverno.io/docs/writing-policies/preconditions/
5016						"preconditions"?: {
5017							// AllConditions enable variable-based conditional rule execution.
5018							// This is useful for
5019							// finer control of when an rule is applied. A condition can
5020							// reference object data
5021							// using JMESPath notation.
5022							// Here, all of the conditions need to pass
5023							"all"?: [...{
5024								// Key is the context entry (using JMESPath) for conditional rule
5025								// evaluation.
5026								"key"?: null | bool | number | string | [...] | {
5027									...
5028								}
5029
5030								// Message is an optional display message
5031								"message"?: string
5032
5033								// Operator is the conditional operation to perform. Valid
5034								// operators are:
5035								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
5036								// GreaterThanOrEquals,
5037								// GreaterThan, LessThanOrEquals, LessThan,
5038								// DurationGreaterThanOrEquals, DurationGreaterThan,
5039								// DurationLessThanOrEquals, DurationLessThan
5040								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
5041
5042								// Value is the conditional value, or set of values. The values
5043								// can be fixed set
5044								// or can be variables declared using JMESPath.
5045								"value"?: null | bool | number | string | [...] | {
5046									...
5047								}
5048							}]
5049
5050							// AnyConditions enable variable-based conditional rule execution.
5051							// This is useful for
5052							// finer control of when an rule is applied. A condition can
5053							// reference object data
5054							// using JMESPath notation.
5055							// Here, at least one of the conditions need to pass
5056							"any"?: [...{
5057								// Key is the context entry (using JMESPath) for conditional rule
5058								// evaluation.
5059								"key"?: null | bool | number | string | [...] | {
5060									...
5061								}
5062
5063								// Message is an optional display message
5064								"message"?: string
5065
5066								// Operator is the conditional operation to perform. Valid
5067								// operators are:
5068								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
5069								// GreaterThanOrEquals,
5070								// GreaterThan, LessThanOrEquals, LessThan,
5071								// DurationGreaterThanOrEquals, DurationGreaterThan,
5072								// DurationLessThanOrEquals, DurationLessThan
5073								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
5074
5075								// Value is the conditional value, or set of values. The values
5076								// can be fixed set
5077								// or can be variables declared using JMESPath.
5078								"value"?: null | bool | number | string | [...] | {
5079									...
5080								}
5081							}]
5082							...
5083						}
5084
5085						// UID specifies the resource uid.
5086						"uid"?: string
5087					}]
5088
5089					// GenerateExisting controls whether to trigger the rule in
5090					// existing resources
5091					// If is set to "true" the rule will be triggered and applied to
5092					// existing matched resources.
5093					"generateExisting"?: bool
5094
5095					// Kind specifies resource kind.
5096					"kind"?: string
5097
5098					// Name specifies the resource name.
5099					"name"?: string
5100
5101					// Namespace specifies resource namespace.
5102					"namespace"?: string
5103
5104					// OrphanDownstreamOnPolicyDelete controls whether generated
5105					// resources should be deleted when the rule that generated
5106					// them is deleted with synchronization enabled. This option is
5107					// only applicable to generate rules of the data type.
5108					// See
5109					// https://kyverno.io/docs/writing-policies/generate/#data-examples.
5110					// Defaults to "false" if not specified.
5111					"orphanDownstreamOnPolicyDelete"?: bool
5112
5113					// Synchronize controls if generated resources should be kept
5114					// in-sync with their source resource.
5115					// If Synchronize is set to "true" changes to generated resources
5116					// will be overwritten with resource
5117					// data from Data or the resource specified in the Clone
5118					// declaration.
5119					// Optional. Defaults to "false" if not specified.
5120					"synchronize"?: bool
5121
5122					// UID specifies the resource uid.
5123					"uid"?: string
5124				}
5125
5126				// ImageExtractors defines a mapping from kinds to
5127				// ImageExtractorConfigs.
5128				// This config is only valid for verifyImages rules.
5129				"imageExtractors"?: {
5130					[string]: [...{
5131						// JMESPath is an optional JMESPath expression to apply to the
5132						// image value.
5133						// This is useful when the extracted image begins with a prefix
5134						// like 'docker://'.
5135						// The 'trim_prefix' function may be used to trim the prefix:
5136						// trim_prefix(@, 'docker://').
5137						// Note - Image digest mutation may not be used when applying a
5138						// JMESPAth to an image.
5139						"jmesPath"?: string
5140
5141						// Key is an optional name of the field within 'path' that will be
5142						// used to uniquely identify an image.
5143						// Note - this field MUST be unique.
5144						"key"?: string
5145
5146						// Name is the entry the image will be available under
5147						// 'images.<name>' in the context.
5148						// If this field is not defined, image entries will appear under
5149						// 'images.custom'.
5150						"name"?: string
5151
5152						// Path is the path to the object containing the image field in a
5153						// custom resource.
5154						// It should be slash-separated. Each slash-separated key must be
5155						// a valid YAML key or a wildcard '*'.
5156						// Wildcard keys are expanded in case of arrays or objects.
5157						"path"!: string
5158
5159						// Value is an optional name of the field within 'path' that
5160						// points to the image URI.
5161						// This is useful when a custom 'key' is also defined.
5162						"value"?: string
5163					}]
5164				}
5165
5166				// MatchResources defines when this policy rule should be applied.
5167				// The match
5168				// criteria can include resource information (e.g. kind, name,
5169				// namespace, labels)
5170				// and admission review request information like the user name or
5171				// role.
5172				// At least one kind is required.
5173				"match"!: matchN(0, [null | bool | number | string | [...] | {
5174					"any"!: _
5175					"all"!: _
5176				}]) & {
5177					// All allows specifying resources which will be ANDed
5178					"all"?: [...{
5179						// ClusterRoles is the list of cluster-wide role names for the
5180						// user.
5181						"clusterRoles"?: [...string]
5182
5183						// ResourceDescription contains information about the resource
5184						// being created or modified.
5185						"resources"?: matchN(0, [null | bool | number | string | [...] | {
5186							"name"!:  _
5187							"names"!: _
5188						}]) & {
5189							// Annotations is a map of annotations (key-value pairs of type
5190							// string). Annotation keys
5191							// and values support the wildcard characters "*" (matches zero or
5192							// many characters) and
5193							// "?" (matches at least one character).
5194							"annotations"?: [string]: string
5195
5196							// Kinds is a list of resource kinds.
5197							"kinds"?: [...string]
5198
5199							// Name is the name of the resource. The name supports wildcard
5200							// characters
5201							// "*" (matches zero or many characters) and "?" (at least one
5202							// character).
5203							// NOTE: "Name" is being deprecated in favor of "Names".
5204							"name"?: string
5205
5206							// Names are the names of the resources. Each name supports
5207							// wildcard characters
5208							// "*" (matches zero or many characters) and "?" (at least one
5209							// character).
5210							"names"?: [...string]
5211
5212							// NamespaceSelector is a label selector for the resource
5213							// namespace. Label keys and values
5214							// in `matchLabels` support the wildcard characters `*` (matches
5215							// zero or many characters)
5216							// and `?` (matches one character).Wildcards allows writing label
5217							// selectors like
5218							// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
5219							// any key and value but
5220							// does not match an empty label set.
5221							"namespaceSelector"?: {
5222								// matchExpressions is a list of label selector requirements. The
5223								// requirements are ANDed.
5224								"matchExpressions"?: [...{
5225									// key is the label key that the selector applies to.
5226									"key"!: string
5227
5228									// operator represents a key's relationship to a set of values.
5229									// Valid operators are In, NotIn, Exists and DoesNotExist.
5230									"operator"!: string
5231
5232									// values is an array of string values. If the operator is In or
5233									// NotIn,
5234									// the values array must be non-empty. If the operator is Exists
5235									// or DoesNotExist,
5236									// the values array must be empty. This array is replaced during a
5237									// strategic
5238									// merge patch.
5239									"values"?: [...string]
5240								}]
5241
5242								// matchLabels is a map of {key,value} pairs. A single {key,value}
5243								// in the matchLabels
5244								// map is equivalent to an element of matchExpressions, whose key
5245								// field is "key", the
5246								// operator is "In", and the values array contains only "value".
5247								// The requirements are ANDed.
5248								"matchLabels"?: {
5249									[string]: string
5250								}
5251							}
5252
5253							// Namespaces is a list of namespaces names. Each name supports
5254							// wildcard characters
5255							// "*" (matches zero or many characters) and "?" (at least one
5256							// character).
5257							"namespaces"?: [...string]
5258
5259							// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
5260							// "DELETE"], which are used to match a specific action.
5261							"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
5262
5263							// Selector is a label selector. Label keys and values in
5264							// `matchLabels` support the wildcard
5265							// characters `*` (matches zero or many characters) and `?`
5266							// (matches one character).
5267							// Wildcards allows writing label selectors like
5268							// ["storage.k8s.io/*": "*"]. Note that
5269							// using ["*" : "*"] matches any key and value but does not match
5270							// an empty label set.
5271							"selector"?: {
5272								// matchExpressions is a list of label selector requirements. The
5273								// requirements are ANDed.
5274								"matchExpressions"?: [...{
5275									// key is the label key that the selector applies to.
5276									"key"!: string
5277
5278									// operator represents a key's relationship to a set of values.
5279									// Valid operators are In, NotIn, Exists and DoesNotExist.
5280									"operator"!: string
5281
5282									// values is an array of string values. If the operator is In or
5283									// NotIn,
5284									// the values array must be non-empty. If the operator is Exists
5285									// or DoesNotExist,
5286									// the values array must be empty. This array is replaced during a
5287									// strategic
5288									// merge patch.
5289									"values"?: [...string]
5290								}]
5291
5292								// matchLabels is a map of {key,value} pairs. A single {key,value}
5293								// in the matchLabels
5294								// map is equivalent to an element of matchExpressions, whose key
5295								// field is "key", the
5296								// operator is "In", and the values array contains only "value".
5297								// The requirements are ANDed.
5298								"matchLabels"?: {
5299									[string]: string
5300								}
5301							}
5302						}
5303
5304						// Roles is the list of namespaced role names for the user.
5305						"roles"?: [...string]
5306
5307						// Subjects is the list of subject names like users, user groups,
5308						// and service accounts.
5309						"subjects"?: [...{
5310							// APIGroup holds the API group of the referenced subject.
5311							// Defaults to "" for ServiceAccount subjects.
5312							// Defaults to "rbac.authorization.k8s.io" for User and Group
5313							// subjects.
5314							"apiGroup"?: string
5315
5316							// Kind of object being referenced. Values defined by this API
5317							// group are "User", "Group", and "ServiceAccount".
5318							// If the Authorizer does not recognized the kind value, the
5319							// Authorizer should report an error.
5320							"kind"!: string
5321
5322							// Name of the object being referenced.
5323							"name"!: string
5324
5325							// Namespace of the referenced object. If the object kind is
5326							// non-namespace, such as "User" or "Group", and this value is
5327							// not empty
5328							// the Authorizer should report an error.
5329							"namespace"?: string
5330						}]
5331					}]
5332
5333					// Any allows specifying resources which will be ORed
5334					"any"?: [...{
5335						// ClusterRoles is the list of cluster-wide role names for the
5336						// user.
5337						"clusterRoles"?: [...string]
5338
5339						// ResourceDescription contains information about the resource
5340						// being created or modified.
5341						"resources"?: matchN(0, [null | bool | number | string | [...] | {
5342							"name"!:  _
5343							"names"!: _
5344						}]) & {
5345							// Annotations is a map of annotations (key-value pairs of type
5346							// string). Annotation keys
5347							// and values support the wildcard characters "*" (matches zero or
5348							// many characters) and
5349							// "?" (matches at least one character).
5350							"annotations"?: [string]: string
5351
5352							// Kinds is a list of resource kinds.
5353							"kinds"?: [...string]
5354
5355							// Name is the name of the resource. The name supports wildcard
5356							// characters
5357							// "*" (matches zero or many characters) and "?" (at least one
5358							// character).
5359							// NOTE: "Name" is being deprecated in favor of "Names".
5360							"name"?: string
5361
5362							// Names are the names of the resources. Each name supports
5363							// wildcard characters
5364							// "*" (matches zero or many characters) and "?" (at least one
5365							// character).
5366							"names"?: [...string]
5367
5368							// NamespaceSelector is a label selector for the resource
5369							// namespace. Label keys and values
5370							// in `matchLabels` support the wildcard characters `*` (matches
5371							// zero or many characters)
5372							// and `?` (matches one character).Wildcards allows writing label
5373							// selectors like
5374							// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
5375							// any key and value but
5376							// does not match an empty label set.
5377							"namespaceSelector"?: {
5378								// matchExpressions is a list of label selector requirements. The
5379								// requirements are ANDed.
5380								"matchExpressions"?: [...{
5381									// key is the label key that the selector applies to.
5382									"key"!: string
5383
5384									// operator represents a key's relationship to a set of values.
5385									// Valid operators are In, NotIn, Exists and DoesNotExist.
5386									"operator"!: string
5387
5388									// values is an array of string values. If the operator is In or
5389									// NotIn,
5390									// the values array must be non-empty. If the operator is Exists
5391									// or DoesNotExist,
5392									// the values array must be empty. This array is replaced during a
5393									// strategic
5394									// merge patch.
5395									"values"?: [...string]
5396								}]
5397
5398								// matchLabels is a map of {key,value} pairs. A single {key,value}
5399								// in the matchLabels
5400								// map is equivalent to an element of matchExpressions, whose key
5401								// field is "key", the
5402								// operator is "In", and the values array contains only "value".
5403								// The requirements are ANDed.
5404								"matchLabels"?: {
5405									[string]: string
5406								}
5407							}
5408
5409							// Namespaces is a list of namespaces names. Each name supports
5410							// wildcard characters
5411							// "*" (matches zero or many characters) and "?" (at least one
5412							// character).
5413							"namespaces"?: [...string]
5414
5415							// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
5416							// "DELETE"], which are used to match a specific action.
5417							"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
5418
5419							// Selector is a label selector. Label keys and values in
5420							// `matchLabels` support the wildcard
5421							// characters `*` (matches zero or many characters) and `?`
5422							// (matches one character).
5423							// Wildcards allows writing label selectors like
5424							// ["storage.k8s.io/*": "*"]. Note that
5425							// using ["*" : "*"] matches any key and value but does not match
5426							// an empty label set.
5427							"selector"?: {
5428								// matchExpressions is a list of label selector requirements. The
5429								// requirements are ANDed.
5430								"matchExpressions"?: [...{
5431									// key is the label key that the selector applies to.
5432									"key"!: string
5433
5434									// operator represents a key's relationship to a set of values.
5435									// Valid operators are In, NotIn, Exists and DoesNotExist.
5436									"operator"!: string
5437
5438									// values is an array of string values. If the operator is In or
5439									// NotIn,
5440									// the values array must be non-empty. If the operator is Exists
5441									// or DoesNotExist,
5442									// the values array must be empty. This array is replaced during a
5443									// strategic
5444									// merge patch.
5445									"values"?: [...string]
5446								}]
5447
5448								// matchLabels is a map of {key,value} pairs. A single {key,value}
5449								// in the matchLabels
5450								// map is equivalent to an element of matchExpressions, whose key
5451								// field is "key", the
5452								// operator is "In", and the values array contains only "value".
5453								// The requirements are ANDed.
5454								"matchLabels"?: {
5455									[string]: string
5456								}
5457							}
5458						}
5459
5460						// Roles is the list of namespaced role names for the user.
5461						"roles"?: [...string]
5462
5463						// Subjects is the list of subject names like users, user groups,
5464						// and service accounts.
5465						"subjects"?: [...{
5466							// APIGroup holds the API group of the referenced subject.
5467							// Defaults to "" for ServiceAccount subjects.
5468							// Defaults to "rbac.authorization.k8s.io" for User and Group
5469							// subjects.
5470							"apiGroup"?: string
5471
5472							// Kind of object being referenced. Values defined by this API
5473							// group are "User", "Group", and "ServiceAccount".
5474							// If the Authorizer does not recognized the kind value, the
5475							// Authorizer should report an error.
5476							"kind"!: string
5477
5478							// Name of the object being referenced.
5479							"name"!: string
5480
5481							// Namespace of the referenced object. If the object kind is
5482							// non-namespace, such as "User" or "Group", and this value is
5483							// not empty
5484							// the Authorizer should report an error.
5485							"namespace"?: string
5486						}]
5487					}]
5488
5489					// ClusterRoles is the list of cluster-wide role names for the
5490					// user.
5491					"clusterRoles"?: [...string]
5492
5493					// ResourceDescription contains information about the resource
5494					// being created or modified.
5495					// Requires at least one tag to be specified when under
5496					// MatchResources.
5497					// Specifying ResourceDescription directly under match is being
5498					// deprecated.
5499					// Please specify under "any" or "all" instead.
5500					"resources"?: matchN(0, [null | bool | number | string | [...] | {
5501						"name"!:  _
5502						"names"!: _
5503					}]) & {
5504						// Annotations is a map of annotations (key-value pairs of type
5505						// string). Annotation keys
5506						// and values support the wildcard characters "*" (matches zero or
5507						// many characters) and
5508						// "?" (matches at least one character).
5509						"annotations"?: [string]: string
5510
5511						// Kinds is a list of resource kinds.
5512						"kinds"?: [...string]
5513
5514						// Name is the name of the resource. The name supports wildcard
5515						// characters
5516						// "*" (matches zero or many characters) and "?" (at least one
5517						// character).
5518						// NOTE: "Name" is being deprecated in favor of "Names".
5519						"name"?: string
5520
5521						// Names are the names of the resources. Each name supports
5522						// wildcard characters
5523						// "*" (matches zero or many characters) and "?" (at least one
5524						// character).
5525						"names"?: [...string]
5526
5527						// NamespaceSelector is a label selector for the resource
5528						// namespace. Label keys and values
5529						// in `matchLabels` support the wildcard characters `*` (matches
5530						// zero or many characters)
5531						// and `?` (matches one character).Wildcards allows writing label
5532						// selectors like
5533						// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
5534						// any key and value but
5535						// does not match an empty label set.
5536						"namespaceSelector"?: {
5537							// matchExpressions is a list of label selector requirements. The
5538							// requirements are ANDed.
5539							"matchExpressions"?: [...{
5540								// key is the label key that the selector applies to.
5541								"key"!: string
5542
5543								// operator represents a key's relationship to a set of values.
5544								// Valid operators are In, NotIn, Exists and DoesNotExist.
5545								"operator"!: string
5546
5547								// values is an array of string values. If the operator is In or
5548								// NotIn,
5549								// the values array must be non-empty. If the operator is Exists
5550								// or DoesNotExist,
5551								// the values array must be empty. This array is replaced during a
5552								// strategic
5553								// merge patch.
5554								"values"?: [...string]
5555							}]
5556
5557							// matchLabels is a map of {key,value} pairs. A single {key,value}
5558							// in the matchLabels
5559							// map is equivalent to an element of matchExpressions, whose key
5560							// field is "key", the
5561							// operator is "In", and the values array contains only "value".
5562							// The requirements are ANDed.
5563							"matchLabels"?: {
5564								[string]: string
5565							}
5566						}
5567
5568						// Namespaces is a list of namespaces names. Each name supports
5569						// wildcard characters
5570						// "*" (matches zero or many characters) and "?" (at least one
5571						// character).
5572						"namespaces"?: [...string]
5573
5574						// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
5575						// "DELETE"], which are used to match a specific action.
5576						"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
5577
5578						// Selector is a label selector. Label keys and values in
5579						// `matchLabels` support the wildcard
5580						// characters `*` (matches zero or many characters) and `?`
5581						// (matches one character).
5582						// Wildcards allows writing label selectors like
5583						// ["storage.k8s.io/*": "*"]. Note that
5584						// using ["*" : "*"] matches any key and value but does not match
5585						// an empty label set.
5586						"selector"?: {
5587							// matchExpressions is a list of label selector requirements. The
5588							// requirements are ANDed.
5589							"matchExpressions"?: [...{
5590								// key is the label key that the selector applies to.
5591								"key"!: string
5592
5593								// operator represents a key's relationship to a set of values.
5594								// Valid operators are In, NotIn, Exists and DoesNotExist.
5595								"operator"!: string
5596
5597								// values is an array of string values. If the operator is In or
5598								// NotIn,
5599								// the values array must be non-empty. If the operator is Exists
5600								// or DoesNotExist,
5601								// the values array must be empty. This array is replaced during a
5602								// strategic
5603								// merge patch.
5604								"values"?: [...string]
5605							}]
5606
5607							// matchLabels is a map of {key,value} pairs. A single {key,value}
5608							// in the matchLabels
5609							// map is equivalent to an element of matchExpressions, whose key
5610							// field is "key", the
5611							// operator is "In", and the values array contains only "value".
5612							// The requirements are ANDed.
5613							"matchLabels"?: {
5614								[string]: string
5615							}
5616						}
5617					}
5618
5619					// Roles is the list of namespaced role names for the user.
5620					"roles"?: [...string]
5621
5622					// Subjects is the list of subject names like users, user groups,
5623					// and service accounts.
5624					"subjects"?: [...{
5625						// APIGroup holds the API group of the referenced subject.
5626						// Defaults to "" for ServiceAccount subjects.
5627						// Defaults to "rbac.authorization.k8s.io" for User and Group
5628						// subjects.
5629						"apiGroup"?: string
5630
5631						// Kind of object being referenced. Values defined by this API
5632						// group are "User", "Group", and "ServiceAccount".
5633						// If the Authorizer does not recognized the kind value, the
5634						// Authorizer should report an error.
5635						"kind"!: string
5636
5637						// Name of the object being referenced.
5638						"name"!: string
5639
5640						// Namespace of the referenced object. If the object kind is
5641						// non-namespace, such as "User" or "Group", and this value is
5642						// not empty
5643						// the Authorizer should report an error.
5644						"namespace"?: string
5645					}]
5646				}
5647
5648				// Mutation is used to modify matching resources.
5649				"mutate"?: {
5650					// ForEach applies mutation rules to a list of sub-elements by
5651					// creating a context for each entry in the list and looping over
5652					// it to apply the specified logic.
5653					"foreach"?: [...{
5654						// Context defines variables and data sources that can be used
5655						// during rule execution.
5656						"context"?: [...matchN(1, [{
5657							"configMap"!: _
5658						}, {
5659							"apiCall"!: _
5660						}, {
5661							"imageRegistry"!: _
5662						}, {
5663							"variable"!: _
5664						}, {
5665							"globalReference"!: _
5666						}]) & {
5667							// APICall is an HTTP request to the Kubernetes API server, or
5668							// other JSON web service.
5669							// The data returned is stored in the context with the name for
5670							// the context entry.
5671							"apiCall"?: {
5672								// The data object specifies the POST data sent to the server.
5673								// Only applicable when the method field is set to POST.
5674								"data"?: [...{
5675									// Key is a unique identifier for the data value
5676									"key"!: string
5677
5678									// Value is the data value
5679									"value"!: null | bool | number | string | [...] | {
5680										...
5681									}
5682								}]
5683
5684								// Default is an optional arbitrary JSON object that the context
5685								// value is set to, if the apiCall returns error.
5686								"default"?: null | bool | number | string | [...] | {
5687									...
5688								}
5689
5690								// JMESPath is an optional JSON Match Expression that can be used
5691								// to
5692								// transform the JSON response returned from the server. For
5693								// example
5694								// a JMESPath of "items | length(@)" applied to the API server
5695								// response
5696								// for the URLPath "/apis/apps/v1/deployments" will return the
5697								// total count
5698								// of deployments across all namespaces.
5699								"jmesPath"?: string
5700
5701								// Method is the HTTP request type (GET or POST). Defaults to GET.
5702								"method"?: "GET" | "POST"
5703
5704								// Service is an API call to a JSON web service.
5705								// This is used for non-Kubernetes API server calls.
5706								// It's mutually exclusive with the URLPath field.
5707								"service"?: {
5708									// CABundle is a PEM encoded CA bundle which will be used to
5709									// validate
5710									// the server certificate.
5711									"caBundle"?: string
5712
5713									// Headers is a list of optional HTTP headers to be included in
5714									// the request.
5715									"headers"?: [...{
5716										// Key is the header key
5717										"key"!: string
5718
5719										// Value is the header value
5720										"value"!: string
5721									}]
5722
5723									// URL is the JSON web service URL. A typical form is
5724									// `https://{service}.{namespace}:{port}/{path}`.
5725									"url"!: string
5726								}
5727
5728								// URLPath is the URL path to be used in the HTTP GET or POST
5729								// request to the
5730								// Kubernetes API server (e.g. "/api/v1/namespaces" or
5731								// "/apis/apps/v1/deployments").
5732								// The format required is the same format used by the `kubectl get
5733								// --raw` command.
5734								// See
5735								// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
5736								// for details.
5737								// It's mutually exclusive with the Service field.
5738								"urlPath"?: string
5739							}
5740
5741							// ConfigMap is the ConfigMap reference.
5742							"configMap"?: {
5743								// Name is the ConfigMap name.
5744								"name"!: string
5745
5746								// Namespace is the ConfigMap namespace.
5747								"namespace"?: string
5748							}
5749
5750							// GlobalContextEntryReference is a reference to a cached global
5751							// context entry.
5752							"globalReference"?: {
5753								// JMESPath is an optional JSON Match Expression that can be used
5754								// to
5755								// transform the JSON response returned from the server. For
5756								// example
5757								// a JMESPath of "items | length(@)" applied to the API server
5758								// response
5759								// for the URLPath "/apis/apps/v1/deployments" will return the
5760								// total count
5761								// of deployments across all namespaces.
5762								"jmesPath"?: string
5763
5764								// Name of the global context entry
5765								"name"!: string
5766							}
5767
5768							// ImageRegistry defines requests to an OCI/Docker V2 registry to
5769							// fetch image
5770							// details.
5771							"imageRegistry"?: {
5772								// ImageRegistryCredentials provides credentials that will be used
5773								// for authentication with registry
5774								"imageRegistryCredentials"?: {
5775									// AllowInsecureRegistry allows insecure access to a registry.
5776									"allowInsecureRegistry"?: bool
5777
5778									// Providers specifies a list of OCI Registry names, whose
5779									// authentication providers are provided.
5780									// It can be of one of these values:
5781									// default,google,azure,amazon,github.
5782									"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
5783
5784									// Secrets specifies a list of secrets that are provided for
5785									// credentials.
5786									// Secrets must live in the Kyverno namespace.
5787									"secrets"?: [...string]
5788								}
5789
5790								// JMESPath is an optional JSON Match Expression that can be used
5791								// to
5792								// transform the ImageData struct returned as a result of
5793								// processing
5794								// the image reference.
5795								"jmesPath"?: string
5796
5797								// Reference is image reference to a container image in the
5798								// registry.
5799								// Example: ghcr.io/kyverno/kyverno:latest
5800								"reference"!: string
5801							}
5802
5803							// Name is the variable name.
5804							"name"!: string
5805
5806							// Variable defines an arbitrary JMESPath context variable that
5807							// can be defined inline.
5808							"variable"?: {
5809								// Default is an optional arbitrary JSON object that the variable
5810								// may take if the JMESPath
5811								// expression evaluates to nil
5812								"default"?: null | bool | number | string | [...] | {
5813									...
5814								}
5815
5816								// JMESPath is an optional JMESPath Expression that can be used to
5817								// transform the variable.
5818								"jmesPath"?: string
5819
5820								// Value is any arbitrary JSON object representable in YAML or
5821								// JSON form.
5822								"value"?: null | bool | number | string | [...] | {
5823									...
5824								}
5825							}
5826						}]
5827
5828						// Foreach declares a nested foreach iterator
5829						"foreach"?: null | bool | number | string | [...] | {
5830							...
5831						}
5832
5833						// List specifies a JMESPath expression that results in one or
5834						// more elements
5835						// to which the validation logic is applied.
5836						"list"?: string
5837
5838						// Order defines the iteration order on the list.
5839						// Can be Ascending to iterate from first to last element or
5840						// Descending to iterate in from last to first element.
5841						"order"?: "Ascending" | "Descending"
5842
5843						// PatchStrategicMerge is a strategic merge patch used to modify
5844						// resources.
5845						// See
5846						// https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
5847						// and
5848						// https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
5849						"patchStrategicMerge"?: null | bool | number | string | [...] | {
5850							...
5851						}
5852
5853						// PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
5854						// used to modify resources.
5855						// See https://tools.ietf.org/html/rfc6902 and
5856						// https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
5857						"patchesJson6902"?: string
5858
5859						// AnyAllConditions are used to determine if a policy rule should
5860						// be applied by evaluating a
5861						// set of conditions. The declaration can contain nested `any` or
5862						// `all` statements.
5863						// See: https://kyverno.io/docs/writing-policies/preconditions/
5864						"preconditions"?: {
5865							// AllConditions enable variable-based conditional rule execution.
5866							// This is useful for
5867							// finer control of when an rule is applied. A condition can
5868							// reference object data
5869							// using JMESPath notation.
5870							// Here, all of the conditions need to pass
5871							"all"?: [...{
5872								// Key is the context entry (using JMESPath) for conditional rule
5873								// evaluation.
5874								"key"?: null | bool | number | string | [...] | {
5875									...
5876								}
5877
5878								// Message is an optional display message
5879								"message"?: string
5880
5881								// Operator is the conditional operation to perform. Valid
5882								// operators are:
5883								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
5884								// GreaterThanOrEquals,
5885								// GreaterThan, LessThanOrEquals, LessThan,
5886								// DurationGreaterThanOrEquals, DurationGreaterThan,
5887								// DurationLessThanOrEquals, DurationLessThan
5888								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
5889
5890								// Value is the conditional value, or set of values. The values
5891								// can be fixed set
5892								// or can be variables declared using JMESPath.
5893								"value"?: null | bool | number | string | [...] | {
5894									...
5895								}
5896							}]
5897
5898							// AnyConditions enable variable-based conditional rule execution.
5899							// This is useful for
5900							// finer control of when an rule is applied. A condition can
5901							// reference object data
5902							// using JMESPath notation.
5903							// Here, at least one of the conditions need to pass
5904							"any"?: [...{
5905								// Key is the context entry (using JMESPath) for conditional rule
5906								// evaluation.
5907								"key"?: null | bool | number | string | [...] | {
5908									...
5909								}
5910
5911								// Message is an optional display message
5912								"message"?: string
5913
5914								// Operator is the conditional operation to perform. Valid
5915								// operators are:
5916								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
5917								// GreaterThanOrEquals,
5918								// GreaterThan, LessThanOrEquals, LessThan,
5919								// DurationGreaterThanOrEquals, DurationGreaterThan,
5920								// DurationLessThanOrEquals, DurationLessThan
5921								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
5922
5923								// Value is the conditional value, or set of values. The values
5924								// can be fixed set
5925								// or can be variables declared using JMESPath.
5926								"value"?: null | bool | number | string | [...] | {
5927									...
5928								}
5929							}]
5930							...
5931						}
5932					}]
5933
5934					// MutateExistingOnPolicyUpdate controls if the mutateExisting
5935					// rule will be applied on policy events.
5936					"mutateExistingOnPolicyUpdate"?: bool
5937
5938					// PatchStrategicMerge is a strategic merge patch used to modify
5939					// resources.
5940					// See
5941					// https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
5942					// and
5943					// https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
5944					"patchStrategicMerge"?: null | bool | number | string | [...] | {
5945						...
5946					}
5947
5948					// PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
5949					// used to modify resources.
5950					// See https://tools.ietf.org/html/rfc6902 and
5951					// https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
5952					"patchesJson6902"?: string
5953
5954					// Targets defines the target resources to be mutated.
5955					"targets"?: [...{
5956						// APIVersion specifies resource apiVersion.
5957						"apiVersion"?: string
5958
5959						// Context defines variables and data sources that can be used
5960						// during rule execution.
5961						"context"?: [...matchN(1, [{
5962							"configMap"!: _
5963						}, {
5964							"apiCall"!: _
5965						}, {
5966							"imageRegistry"!: _
5967						}, {
5968							"variable"!: _
5969						}, {
5970							"globalReference"!: _
5971						}]) & {
5972							// APICall is an HTTP request to the Kubernetes API server, or
5973							// other JSON web service.
5974							// The data returned is stored in the context with the name for
5975							// the context entry.
5976							"apiCall"?: {
5977								// The data object specifies the POST data sent to the server.
5978								// Only applicable when the method field is set to POST.
5979								"data"?: [...{
5980									// Key is a unique identifier for the data value
5981									"key"!: string
5982
5983									// Value is the data value
5984									"value"!: null | bool | number | string | [...] | {
5985										...
5986									}
5987								}]
5988
5989								// Default is an optional arbitrary JSON object that the context
5990								// value is set to, if the apiCall returns error.
5991								"default"?: null | bool | number | string | [...] | {
5992									...
5993								}
5994
5995								// JMESPath is an optional JSON Match Expression that can be used
5996								// to
5997								// transform the JSON response returned from the server. For
5998								// example
5999								// a JMESPath of "items | length(@)" applied to the API server
6000								// response
6001								// for the URLPath "/apis/apps/v1/deployments" will return the
6002								// total count
6003								// of deployments across all namespaces.
6004								"jmesPath"?: string
6005
6006								// Method is the HTTP request type (GET or POST). Defaults to GET.
6007								"method"?: "GET" | "POST"
6008
6009								// Service is an API call to a JSON web service.
6010								// This is used for non-Kubernetes API server calls.
6011								// It's mutually exclusive with the URLPath field.
6012								"service"?: {
6013									// CABundle is a PEM encoded CA bundle which will be used to
6014									// validate
6015									// the server certificate.
6016									"caBundle"?: string
6017
6018									// Headers is a list of optional HTTP headers to be included in
6019									// the request.
6020									"headers"?: [...{
6021										// Key is the header key
6022										"key"!: string
6023
6024										// Value is the header value
6025										"value"!: string
6026									}]
6027
6028									// URL is the JSON web service URL. A typical form is
6029									// `https://{service}.{namespace}:{port}/{path}`.
6030									"url"!: string
6031								}
6032
6033								// URLPath is the URL path to be used in the HTTP GET or POST
6034								// request to the
6035								// Kubernetes API server (e.g. "/api/v1/namespaces" or
6036								// "/apis/apps/v1/deployments").
6037								// The format required is the same format used by the `kubectl get
6038								// --raw` command.
6039								// See
6040								// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
6041								// for details.
6042								// It's mutually exclusive with the Service field.
6043								"urlPath"?: string
6044							}
6045
6046							// ConfigMap is the ConfigMap reference.
6047							"configMap"?: {
6048								// Name is the ConfigMap name.
6049								"name"!: string
6050
6051								// Namespace is the ConfigMap namespace.
6052								"namespace"?: string
6053							}
6054
6055							// GlobalContextEntryReference is a reference to a cached global
6056							// context entry.
6057							"globalReference"?: {
6058								// JMESPath is an optional JSON Match Expression that can be used
6059								// to
6060								// transform the JSON response returned from the server. For
6061								// example
6062								// a JMESPath of "items | length(@)" applied to the API server
6063								// response
6064								// for the URLPath "/apis/apps/v1/deployments" will return the
6065								// total count
6066								// of deployments across all namespaces.
6067								"jmesPath"?: string
6068
6069								// Name of the global context entry
6070								"name"!: string
6071							}
6072
6073							// ImageRegistry defines requests to an OCI/Docker V2 registry to
6074							// fetch image
6075							// details.
6076							"imageRegistry"?: {
6077								// ImageRegistryCredentials provides credentials that will be used
6078								// for authentication with registry
6079								"imageRegistryCredentials"?: {
6080									// AllowInsecureRegistry allows insecure access to a registry.
6081									"allowInsecureRegistry"?: bool
6082
6083									// Providers specifies a list of OCI Registry names, whose
6084									// authentication providers are provided.
6085									// It can be of one of these values:
6086									// default,google,azure,amazon,github.
6087									"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
6088
6089									// Secrets specifies a list of secrets that are provided for
6090									// credentials.
6091									// Secrets must live in the Kyverno namespace.
6092									"secrets"?: [...string]
6093								}
6094
6095								// JMESPath is an optional JSON Match Expression that can be used
6096								// to
6097								// transform the ImageData struct returned as a result of
6098								// processing
6099								// the image reference.
6100								"jmesPath"?: string
6101
6102								// Reference is image reference to a container image in the
6103								// registry.
6104								// Example: ghcr.io/kyverno/kyverno:latest
6105								"reference"!: string
6106							}
6107
6108							// Name is the variable name.
6109							"name"!: string
6110
6111							// Variable defines an arbitrary JMESPath context variable that
6112							// can be defined inline.
6113							"variable"?: {
6114								// Default is an optional arbitrary JSON object that the variable
6115								// may take if the JMESPath
6116								// expression evaluates to nil
6117								"default"?: null | bool | number | string | [...] | {
6118									...
6119								}
6120
6121								// JMESPath is an optional JMESPath Expression that can be used to
6122								// transform the variable.
6123								"jmesPath"?: string
6124
6125								// Value is any arbitrary JSON object representable in YAML or
6126								// JSON form.
6127								"value"?: null | bool | number | string | [...] | {
6128									...
6129								}
6130							}
6131						}]
6132
6133						// Kind specifies resource kind.
6134						"kind"?: string
6135
6136						// Name specifies the resource name.
6137						"name"?: string
6138
6139						// Namespace specifies resource namespace.
6140						"namespace"?: string
6141
6142						// Preconditions are used to determine if a policy rule should be
6143						// applied by evaluating a
6144						// set of conditions. The declaration can contain nested `any` or
6145						// `all` statements. A direct list
6146						// of conditions (without `any` or `all` statements is supported
6147						// for backwards compatibility but
6148						// will be deprecated in the next major release.
6149						// See: https://kyverno.io/docs/writing-policies/preconditions/
6150						"preconditions"?: null | bool | number | string | [...] | {
6151							...
6152						}
6153
6154						// Selector allows you to select target resources with their
6155						// labels.
6156						"selector"?: {
6157							// matchExpressions is a list of label selector requirements. The
6158							// requirements are ANDed.
6159							"matchExpressions"?: [...{
6160								// key is the label key that the selector applies to.
6161								"key"!: string
6162
6163								// operator represents a key's relationship to a set of values.
6164								// Valid operators are In, NotIn, Exists and DoesNotExist.
6165								"operator"!: string
6166
6167								// values is an array of string values. If the operator is In or
6168								// NotIn,
6169								// the values array must be non-empty. If the operator is Exists
6170								// or DoesNotExist,
6171								// the values array must be empty. This array is replaced during a
6172								// strategic
6173								// merge patch.
6174								"values"?: [...string]
6175							}]
6176
6177							// matchLabels is a map of {key,value} pairs. A single {key,value}
6178							// in the matchLabels
6179							// map is equivalent to an element of matchExpressions, whose key
6180							// field is "key", the
6181							// operator is "In", and the values array contains only "value".
6182							// The requirements are ANDed.
6183							"matchLabels"?: {
6184								[string]: string
6185							}
6186						}
6187
6188						// UID specifies the resource uid.
6189						"uid"?: string
6190					}]
6191				}
6192
6193				// Name is a label to identify the rule, It must be unique within
6194				// the policy.
6195				"name"!: strings.MaxRunes(
6196						63)
6197
6198				// Preconditions are used to determine if a policy rule should be
6199				// applied by evaluating a
6200				// set of conditions. The declaration can contain nested `any` or
6201				// `all` statements. A direct list
6202				// of conditions (without `any` or `all` statements is supported
6203				// for backwards compatibility but
6204				// will be deprecated in the next major release.
6205				// See: https://kyverno.io/docs/writing-policies/preconditions/
6206				"preconditions"?: null | bool | number | string | [...] | {
6207					...
6208				}
6209
6210				// ReportProperties are the additional properties from the rule
6211				// that will be added to the policy report result
6212				"reportProperties"?: {
6213					[string]: string
6214				}
6215
6216				// SkipBackgroundRequests bypasses admission requests that are
6217				// sent by the background controller.
6218				// The default value is set to "true", it must be set to "false"
6219				// to apply
6220				// generate and mutateExisting rules to those requests.
6221				"skipBackgroundRequests"?: bool
6222
6223				// Validation is used to validate matching resources.
6224				"validate"?: {
6225					// AllowExistingViolations allows prexisting violating resources
6226					// to continue violating a policy.
6227					"allowExistingViolations"?: bool
6228
6229					// AnyPattern specifies list of validation patterns. At least one
6230					// of the patterns
6231					// must be satisfied for the validation rule to succeed.
6232					"anyPattern"?: null | bool | number | string | [...] | {
6233						...
6234					}
6235
6236					// Assert defines a kyverno-json assertion tree.
6237					"assert"?: {
6238						...
6239					}
6240
6241					// CEL allows validation checks using the Common Expression
6242					// Language
6243					// (https://kubernetes.io/docs/reference/using-api/cel/).
6244					"cel"?: {
6245						// AuditAnnotations contains CEL expressions which are used to
6246						// produce audit annotations for the audit event of the API
6247						// request.
6248						"auditAnnotations"?: [...{
6249							// key specifies the audit annotation key. The audit annotation
6250							// keys of
6251							// a ValidatingAdmissionPolicy must be unique. The key must be a
6252							// qualified
6253							// name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in
6254							// length.
6255							//
6256							// The key is combined with the resource name of the
6257							// ValidatingAdmissionPolicy to construct an audit annotation key:
6258							// "{ValidatingAdmissionPolicy name}/{key}".
6259							//
6260							// If an admission webhook uses the same resource name as this
6261							// ValidatingAdmissionPolicy
6262							// and the same audit annotation key, the annotation key will be
6263							// identical.
6264							// In this case, the first annotation written with the key will be
6265							// included
6266							// in the audit event and all subsequent annotations with the same
6267							// key
6268							// will be discarded.
6269							//
6270							// Required.
6271							"key"!: string
6272
6273							// valueExpression represents the expression which is evaluated by
6274							// CEL to
6275							// produce an audit annotation value. The expression must evaluate
6276							// to either
6277							// a string or null value. If the expression evaluates to a
6278							// string, the
6279							// audit annotation is included with the string value. If the
6280							// expression
6281							// evaluates to null or empty string the audit annotation will be
6282							// omitted.
6283							// The valueExpression may be no longer than 5kb in length.
6284							// If the result of the valueExpression is more than 10kb in
6285							// length, it
6286							// will be truncated to 10kb.
6287							//
6288							// If multiple ValidatingAdmissionPolicyBinding resources match an
6289							// API request, then the valueExpression will be evaluated for
6290							// each binding. All unique values produced by the
6291							// valueExpressions
6292							// will be joined together in a comma-separated list.
6293							//
6294							// Required.
6295							"valueExpression"!: string
6296						}]
6297
6298						// Expressions is a list of CELExpression types.
6299						"expressions"?: [...{
6300							// Expression represents the expression which will be evaluated by
6301							// CEL.
6302							// ref: https://github.com/google/cel-spec
6303							// CEL expressions have access to the contents of the API
6304							// request/response, organized into CEL variables as well as some
6305							// other useful variables:
6306							//
6307							// - 'object' - The object from the incoming request. The value is
6308							// null for DELETE requests.
6309							// - 'oldObject' - The existing object. The value is null for
6310							// CREATE requests.
6311							// - 'request' - Attributes of the API
6312							// request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
6313							// - 'params' - Parameter resource referred to by the policy
6314							// binding being evaluated. Only populated if the policy has a
6315							// ParamKind.
6316							// - 'namespaceObject' - The namespace object that the incoming
6317							// object belongs to. The value is null for cluster-scoped
6318							// resources.
6319							// - 'variables' - Map of composited variables, from its name to
6320							// its lazily evaluated value.
6321							// For example, a variable named 'foo' can be accessed as
6322							// 'variables.foo'.
6323							// - 'authorizer' - A CEL Authorizer. May be used to perform
6324							// authorization checks for the principal (user or service
6325							// account) of the request.
6326							// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
6327							// - 'authorizer.requestResource' - A CEL ResourceCheck
6328							// constructed from the 'authorizer' and configured with the
6329							// request resource.
6330							//
6331							// The `apiVersion`, `kind`, `metadata.name` and
6332							// `metadata.generateName` are always accessible from the root of
6333							// the
6334							// object. No other metadata properties are accessible.
6335							//
6336							// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
6337							// are accessible.
6338							// Accessible property names are escaped according to the
6339							// following rules when accessed in the expression:
6340							// - '__' escapes to '__underscores__'
6341							// - '.' escapes to '__dot__'
6342							// - '-' escapes to '__dash__'
6343							// - '/' escapes to '__slash__'
6344							// - Property names that exactly match a CEL RESERVED keyword
6345							// escape to '__{keyword}__'. The keywords are:
6346							// "true", "false", "null", "in", "as", "break", "const",
6347							// "continue", "else", "for", "function", "if",
6348							// "import", "let", "loop", "package", "namespace", "return".
6349							// Examples:
6350							// - Expression accessing a property named "namespace":
6351							// {"Expression": "object.__namespace__ > 0"}
6352							// - Expression accessing a property named "x-prop":
6353							// {"Expression": "object.x__dash__prop > 0"}
6354							// - Expression accessing a property named "redact__d":
6355							// {"Expression": "object.redact__underscores__d > 0"}
6356							//
6357							// Equality on arrays with list type of 'set' or 'map' ignores
6358							// element order, i.e. [1, 2] == [2, 1].
6359							// Concatenation on arrays with x-kubernetes-list-type use the
6360							// semantics of the list type:
6361							// - 'set': `X + Y` performs a union where the array positions of
6362							// all elements in `X` are preserved and
6363							// non-intersecting elements in `Y` are appended, retaining their
6364							// partial order.
6365							// - 'map': `X + Y` performs a merge where the array positions of
6366							// all keys in `X` are preserved but the values
6367							// are overwritten by values in `Y` when the key sets of `X` and
6368							// `Y` intersect. Elements in `Y` with
6369							// non-intersecting keys are appended, retaining their partial
6370							// order.
6371							// Required.
6372							"expression"!: string
6373
6374							// Message represents the message displayed when validation fails.
6375							// The message is required if the Expression contains
6376							// line breaks. The message must not contain line breaks.
6377							// If unset, the message is "failed rule: {Rule}".
6378							// e.g. "must be a URL with the host matching spec.host"
6379							// If the Expression contains line breaks. Message is required.
6380							// The message must not contain line breaks.
6381							// If unset, the message is "failed Expression: {Expression}".
6382							"message"?: string
6383
6384							// messageExpression declares a CEL expression that evaluates to
6385							// the validation failure message that is returned when this rule
6386							// fails.
6387							// Since messageExpression is used as a failure message, it must
6388							// evaluate to a string.
6389							// If both message and messageExpression are present on a
6390							// validation, then messageExpression will be used if validation
6391							// fails.
6392							// If messageExpression results in a runtime error, the runtime
6393							// error is logged, and the validation failure message is
6394							// produced
6395							// as if the messageExpression field were unset. If
6396							// messageExpression evaluates to an empty string, a string with
6397							// only spaces, or a string
6398							// that contains line breaks, then the validation failure message
6399							// will also be produced as if the messageExpression field were
6400							// unset, and
6401							// the fact that messageExpression produced an empty string/string
6402							// with only spaces/string with line breaks will be logged.
6403							// messageExpression has access to all the same variables as the
6404							// `expression` except for 'authorizer' and
6405							// 'authorizer.requestResource'.
6406							// Example:
6407							// "object.x must be less than max ("+string(params.max)+")"
6408							"messageExpression"?: string
6409
6410							// Reason represents a machine-readable description of why this
6411							// validation failed.
6412							// If this is the first validation in the list to fail, this
6413							// reason, as well as the
6414							// corresponding HTTP response code, are used in the
6415							// HTTP response to the client.
6416							// The currently supported reasons are: "Unauthorized",
6417							// "Forbidden", "Invalid", "RequestEntityTooLarge".
6418							// If not set, StatusReasonInvalid is used in the response to the
6419							// client.
6420							"reason"?: string
6421						}]
6422
6423						// ParamKind is a tuple of Group Kind and Version.
6424						"paramKind"?: {
6425							// APIVersion is the API group version the resources belong to.
6426							// In format of "group/version".
6427							// Required.
6428							"apiVersion"?: string
6429
6430							// Kind is the API kind the resources belong to.
6431							// Required.
6432							"kind"?: string
6433						}
6434
6435						// ParamRef references a parameter resource.
6436						"paramRef"?: {
6437							// name is the name of the resource being referenced.
6438							//
6439							// One of `name` or `selector` must be set, but `name` and
6440							// `selector` are
6441							// mutually exclusive properties. If one is set, the other must be
6442							// unset.
6443							//
6444							// A single parameter used for all admission requests can be
6445							// configured
6446							// by setting the `name` field, leaving `selector` blank, and
6447							// setting namespace
6448							// if `paramKind` is namespace-scoped.
6449							"name"?: string
6450
6451							// namespace is the namespace of the referenced resource. Allows
6452							// limiting
6453							// the search for params to a specific namespace. Applies to both
6454							// `name` and
6455							// `selector` fields.
6456							//
6457							// A per-namespace parameter may be used by specifying a
6458							// namespace-scoped
6459							// `paramKind` in the policy and leaving this field empty.
6460							//
6461							// - If `paramKind` is cluster-scoped, this field MUST be unset.
6462							// Setting this
6463							// field results in a configuration error.
6464							//
6465							// - If `paramKind` is namespace-scoped, the namespace of the
6466							// object being
6467							// evaluated for admission will be used when this field is left
6468							// unset. Take
6469							// care that if this is left empty the binding must not match any
6470							// cluster-scoped
6471							// resources, which will result in an error.
6472							"namespace"?: string
6473
6474							// `parameterNotFoundAction` controls the behavior of the binding
6475							// when the resource
6476							// exists, and name or selector is valid, but there are no
6477							// parameters
6478							// matched by the binding. If the value is set to `Allow`, then no
6479							// matched parameters will be treated as successful validation by
6480							// the binding.
6481							// If set to `Deny`, then no matched parameters will be subject to
6482							// the
6483							// `failurePolicy` of the policy.
6484							//
6485							// Allowed values are `Allow` or `Deny`
6486							//
6487							// Required
6488							"parameterNotFoundAction"?: string
6489
6490							// selector can be used to match multiple param objects based on
6491							// their labels.
6492							// Supply selector: {} to match all resources of the ParamKind.
6493							//
6494							// If multiple params are found, they are all evaluated with the
6495							// policy expressions
6496							// and the results are ANDed together.
6497							//
6498							// One of `name` or `selector` must be set, but `name` and
6499							// `selector` are
6500							// mutually exclusive properties. If one is set, the other must be
6501							// unset.
6502							"selector"?: {
6503								// matchExpressions is a list of label selector requirements. The
6504								// requirements are ANDed.
6505								"matchExpressions"?: [...{
6506									// key is the label key that the selector applies to.
6507									"key"!: string
6508
6509									// operator represents a key's relationship to a set of values.
6510									// Valid operators are In, NotIn, Exists and DoesNotExist.
6511									"operator"!: string
6512
6513									// values is an array of string values. If the operator is In or
6514									// NotIn,
6515									// the values array must be non-empty. If the operator is Exists
6516									// or DoesNotExist,
6517									// the values array must be empty. This array is replaced during a
6518									// strategic
6519									// merge patch.
6520									"values"?: [...string]
6521								}]
6522
6523								// matchLabels is a map of {key,value} pairs. A single {key,value}
6524								// in the matchLabels
6525								// map is equivalent to an element of matchExpressions, whose key
6526								// field is "key", the
6527								// operator is "In", and the values array contains only "value".
6528								// The requirements are ANDed.
6529								"matchLabels"?: {
6530									[string]: string
6531								}
6532							}
6533						}
6534
6535						// Variables contain definitions of variables that can be used in
6536						// composition of other expressions.
6537						// Each variable is defined as a named CEL expression.
6538						// The variables defined here will be available under `variables`
6539						// in other expressions of the policy.
6540						"variables"?: [...{
6541							// Expression is the expression that will be evaluated as the
6542							// value of the variable.
6543							// The CEL expression has access to the same identifiers as the
6544							// CEL expressions in Validation.
6545							"expression"!: string
6546
6547							// Name is the name of the variable. The name must be a valid CEL
6548							// identifier and unique among all variables.
6549							// The variable can be accessed in other expressions through
6550							// `variables`
6551							// For example, if name is "foo", the variable will be available
6552							// as `variables.foo`
6553							"name"!: string
6554						}]
6555					}
6556
6557					// Deny defines conditions used to pass or fail a validation rule.
6558					"deny"?: {
6559						// Multiple conditions can be declared under an `any` or `all`
6560						// statement. A direct list
6561						// of conditions (without `any` or `all` statements) is also
6562						// supported for backwards compatibility
6563						// but will be deprecated in the next major release.
6564						// See:
6565						// https://kyverno.io/docs/writing-policies/validate/#deny-rules
6566						"conditions"?: null | bool | number | string | [...] | {
6567							...
6568						}
6569					}
6570
6571					// FailureAction defines if a validation policy rule violation
6572					// should block
6573					// the admission review request (Enforce), or allow (Audit) the
6574					// admission review request
6575					// and report an error in a policy report. Optional.
6576					// Allowed values are Audit or Enforce.
6577					"failureAction"?: "Audit" | "Enforce"
6578
6579					// FailureActionOverrides is a Cluster Policy attribute that
6580					// specifies FailureAction
6581					// namespace-wise. It overrides FailureAction for the specified
6582					// namespaces.
6583					"failureActionOverrides"?: [...{
6584						// ValidationFailureAction defines the policy validation failure
6585						// action
6586						"action"?: "audit" | "enforce" | "Audit" | "Enforce"
6587
6588						// A label selector is a label query over a set of resources. The
6589						// result of matchLabels and
6590						// matchExpressions are ANDed. An empty label selector matches all
6591						// objects. A null
6592						// label selector matches no objects.
6593						"namespaceSelector"?: {
6594							// matchExpressions is a list of label selector requirements. The
6595							// requirements are ANDed.
6596							"matchExpressions"?: [...{
6597								// key is the label key that the selector applies to.
6598								"key"!: string
6599
6600								// operator represents a key's relationship to a set of values.
6601								// Valid operators are In, NotIn, Exists and DoesNotExist.
6602								"operator"!: string
6603
6604								// values is an array of string values. If the operator is In or
6605								// NotIn,
6606								// the values array must be non-empty. If the operator is Exists
6607								// or DoesNotExist,
6608								// the values array must be empty. This array is replaced during a
6609								// strategic
6610								// merge patch.
6611								"values"?: [...string]
6612							}]
6613
6614							// matchLabels is a map of {key,value} pairs. A single {key,value}
6615							// in the matchLabels
6616							// map is equivalent to an element of matchExpressions, whose key
6617							// field is "key", the
6618							// operator is "In", and the values array contains only "value".
6619							// The requirements are ANDed.
6620							"matchLabels"?: {
6621								[string]: string
6622							}
6623						}
6624						"namespaces"?: [...string]
6625					}]
6626
6627					// ForEach applies validate rules to a list of sub-elements by
6628					// creating a context for each entry in the list and looping over
6629					// it to apply the specified logic.
6630					"foreach"?: [...{
6631						// AnyPattern specifies list of validation patterns. At least one
6632						// of the patterns
6633						// must be satisfied for the validation rule to succeed.
6634						"anyPattern"?: null | bool | number | string | [...] | {
6635							...
6636						}
6637
6638						// Context defines variables and data sources that can be used
6639						// during rule execution.
6640						"context"?: [...matchN(1, [{
6641							"configMap"!: _
6642						}, {
6643							"apiCall"!: _
6644						}, {
6645							"imageRegistry"!: _
6646						}, {
6647							"variable"!: _
6648						}, {
6649							"globalReference"!: _
6650						}]) & {
6651							// APICall is an HTTP request to the Kubernetes API server, or
6652							// other JSON web service.
6653							// The data returned is stored in the context with the name for
6654							// the context entry.
6655							"apiCall"?: {
6656								// The data object specifies the POST data sent to the server.
6657								// Only applicable when the method field is set to POST.
6658								"data"?: [...{
6659									// Key is a unique identifier for the data value
6660									"key"!: string
6661
6662									// Value is the data value
6663									"value"!: null | bool | number | string | [...] | {
6664										...
6665									}
6666								}]
6667
6668								// Default is an optional arbitrary JSON object that the context
6669								// value is set to, if the apiCall returns error.
6670								"default"?: null | bool | number | string | [...] | {
6671									...
6672								}
6673
6674								// JMESPath is an optional JSON Match Expression that can be used
6675								// to
6676								// transform the JSON response returned from the server. For
6677								// example
6678								// a JMESPath of "items | length(@)" applied to the API server
6679								// response
6680								// for the URLPath "/apis/apps/v1/deployments" will return the
6681								// total count
6682								// of deployments across all namespaces.
6683								"jmesPath"?: string
6684
6685								// Method is the HTTP request type (GET or POST). Defaults to GET.
6686								"method"?: "GET" | "POST"
6687
6688								// Service is an API call to a JSON web service.
6689								// This is used for non-Kubernetes API server calls.
6690								// It's mutually exclusive with the URLPath field.
6691								"service"?: {
6692									// CABundle is a PEM encoded CA bundle which will be used to
6693									// validate
6694									// the server certificate.
6695									"caBundle"?: string
6696
6697									// Headers is a list of optional HTTP headers to be included in
6698									// the request.
6699									"headers"?: [...{
6700										// Key is the header key
6701										"key"!: string
6702
6703										// Value is the header value
6704										"value"!: string
6705									}]
6706
6707									// URL is the JSON web service URL. A typical form is
6708									// `https://{service}.{namespace}:{port}/{path}`.
6709									"url"!: string
6710								}
6711
6712								// URLPath is the URL path to be used in the HTTP GET or POST
6713								// request to the
6714								// Kubernetes API server (e.g. "/api/v1/namespaces" or
6715								// "/apis/apps/v1/deployments").
6716								// The format required is the same format used by the `kubectl get
6717								// --raw` command.
6718								// See
6719								// https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
6720								// for details.
6721								// It's mutually exclusive with the Service field.
6722								"urlPath"?: string
6723							}
6724
6725							// ConfigMap is the ConfigMap reference.
6726							"configMap"?: {
6727								// Name is the ConfigMap name.
6728								"name"!: string
6729
6730								// Namespace is the ConfigMap namespace.
6731								"namespace"?: string
6732							}
6733
6734							// GlobalContextEntryReference is a reference to a cached global
6735							// context entry.
6736							"globalReference"?: {
6737								// JMESPath is an optional JSON Match Expression that can be used
6738								// to
6739								// transform the JSON response returned from the server. For
6740								// example
6741								// a JMESPath of "items | length(@)" applied to the API server
6742								// response
6743								// for the URLPath "/apis/apps/v1/deployments" will return the
6744								// total count
6745								// of deployments across all namespaces.
6746								"jmesPath"?: string
6747
6748								// Name of the global context entry
6749								"name"!: string
6750							}
6751
6752							// ImageRegistry defines requests to an OCI/Docker V2 registry to
6753							// fetch image
6754							// details.
6755							"imageRegistry"?: {
6756								// ImageRegistryCredentials provides credentials that will be used
6757								// for authentication with registry
6758								"imageRegistryCredentials"?: {
6759									// AllowInsecureRegistry allows insecure access to a registry.
6760									"allowInsecureRegistry"?: bool
6761
6762									// Providers specifies a list of OCI Registry names, whose
6763									// authentication providers are provided.
6764									// It can be of one of these values:
6765									// default,google,azure,amazon,github.
6766									"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
6767
6768									// Secrets specifies a list of secrets that are provided for
6769									// credentials.
6770									// Secrets must live in the Kyverno namespace.
6771									"secrets"?: [...string]
6772								}
6773
6774								// JMESPath is an optional JSON Match Expression that can be used
6775								// to
6776								// transform the ImageData struct returned as a result of
6777								// processing
6778								// the image reference.
6779								"jmesPath"?: string
6780
6781								// Reference is image reference to a container image in the
6782								// registry.
6783								// Example: ghcr.io/kyverno/kyverno:latest
6784								"reference"!: string
6785							}
6786
6787							// Name is the variable name.
6788							"name"!: string
6789
6790							// Variable defines an arbitrary JMESPath context variable that
6791							// can be defined inline.
6792							"variable"?: {
6793								// Default is an optional arbitrary JSON object that the variable
6794								// may take if the JMESPath
6795								// expression evaluates to nil
6796								"default"?: null | bool | number | string | [...] | {
6797									...
6798								}
6799
6800								// JMESPath is an optional JMESPath Expression that can be used to
6801								// transform the variable.
6802								"jmesPath"?: string
6803
6804								// Value is any arbitrary JSON object representable in YAML or
6805								// JSON form.
6806								"value"?: null | bool | number | string | [...] | {
6807									...
6808								}
6809							}
6810						}]
6811
6812						// Deny defines conditions used to pass or fail a validation rule.
6813						"deny"?: {
6814							// Multiple conditions can be declared under an `any` or `all`
6815							// statement. A direct list
6816							// of conditions (without `any` or `all` statements) is also
6817							// supported for backwards compatibility
6818							// but will be deprecated in the next major release.
6819							// See:
6820							// https://kyverno.io/docs/writing-policies/validate/#deny-rules
6821							"conditions"?: null | bool | number | string | [...] | {
6822								...
6823							}
6824						}
6825
6826						// ElementScope specifies whether to use the current list element
6827						// as the scope for validation. Defaults to "true" if not
6828						// specified.
6829						// When set to "false", "request.object" is used as the validation
6830						// scope within the foreach
6831						// block to allow referencing other elements in the subtree.
6832						"elementScope"?: bool
6833
6834						// Foreach declares a nested foreach iterator
6835						"foreach"?: null | bool | number | string | [...] | {
6836							...
6837						}
6838
6839						// List specifies a JMESPath expression that results in one or
6840						// more elements
6841						// to which the validation logic is applied.
6842						"list"?: string
6843
6844						// Pattern specifies an overlay-style pattern used to check
6845						// resources.
6846						"pattern"?: null | bool | number | string | [...] | {
6847							...
6848						}
6849
6850						// AnyAllConditions are used to determine if a policy rule should
6851						// be applied by evaluating a
6852						// set of conditions. The declaration can contain nested `any` or
6853						// `all` statements.
6854						// See: https://kyverno.io/docs/writing-policies/preconditions/
6855						"preconditions"?: {
6856							// AllConditions enable variable-based conditional rule execution.
6857							// This is useful for
6858							// finer control of when an rule is applied. A condition can
6859							// reference object data
6860							// using JMESPath notation.
6861							// Here, all of the conditions need to pass
6862							"all"?: [...{
6863								// Key is the context entry (using JMESPath) for conditional rule
6864								// evaluation.
6865								"key"?: null | bool | number | string | [...] | {
6866									...
6867								}
6868
6869								// Message is an optional display message
6870								"message"?: string
6871
6872								// Operator is the conditional operation to perform. Valid
6873								// operators are:
6874								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
6875								// GreaterThanOrEquals,
6876								// GreaterThan, LessThanOrEquals, LessThan,
6877								// DurationGreaterThanOrEquals, DurationGreaterThan,
6878								// DurationLessThanOrEquals, DurationLessThan
6879								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
6880
6881								// Value is the conditional value, or set of values. The values
6882								// can be fixed set
6883								// or can be variables declared using JMESPath.
6884								"value"?: null | bool | number | string | [...] | {
6885									...
6886								}
6887							}]
6888
6889							// AnyConditions enable variable-based conditional rule execution.
6890							// This is useful for
6891							// finer control of when an rule is applied. A condition can
6892							// reference object data
6893							// using JMESPath notation.
6894							// Here, at least one of the conditions need to pass
6895							"any"?: [...{
6896								// Key is the context entry (using JMESPath) for conditional rule
6897								// evaluation.
6898								"key"?: null | bool | number | string | [...] | {
6899									...
6900								}
6901
6902								// Message is an optional display message
6903								"message"?: string
6904
6905								// Operator is the conditional operation to perform. Valid
6906								// operators are:
6907								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
6908								// GreaterThanOrEquals,
6909								// GreaterThan, LessThanOrEquals, LessThan,
6910								// DurationGreaterThanOrEquals, DurationGreaterThan,
6911								// DurationLessThanOrEquals, DurationLessThan
6912								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
6913
6914								// Value is the conditional value, or set of values. The values
6915								// can be fixed set
6916								// or can be variables declared using JMESPath.
6917								"value"?: null | bool | number | string | [...] | {
6918									...
6919								}
6920							}]
6921							...
6922						}
6923					}]
6924
6925					// Manifest specifies conditions for manifest verification
6926					"manifests"?: {
6927						// AnnotationDomain is custom domain of annotation for message and
6928						// signature. Default is "cosign.sigstore.dev".
6929						"annotationDomain"?: string
6930
6931						// Attestors specified the required attestors (i.e. authorities)
6932						"attestors"?: [...{
6933							// Count specifies the required number of entries that must match.
6934							// If the count is null, all entries must match
6935							// (a logical AND). If the count is 1, at least one entry must
6936							// match (a logical OR). If the count contains a
6937							// value N, then N must be less than or equal to the size of
6938							// entries, and at least N entries must match.
6939							"count"?: int & >=1
6940
6941							// Entries contains the available attestors. An attestor can be a
6942							// static key,
6943							// attributes for keyless verification, or a nested attestor
6944							// declaration.
6945							"entries"?: [...{
6946								// Annotations are used for image verification.
6947								// Every specified key-value pair must exist and match in the
6948								// verified payload.
6949								// The payload may contain other key-value pairs.
6950								"annotations"?: [string]: string
6951
6952								// Attestor is a nested set of Attestor used to specify a more
6953								// complex set of match authorities.
6954								"attestor"?: null | bool | number | string | [...] | {
6955									...
6956								}
6957
6958								// Certificates specifies one or more certificates.
6959								"certificates"?: {
6960									// Cert is an optional PEM-encoded public certificate.
6961									"cert"?: string
6962
6963									// CertChain is an optional PEM encoded set of certificates used
6964									// to verify.
6965									"certChain"?: string
6966
6967									// CTLog (certificate timestamp log) provides a configuration for
6968									// validation of Signed Certificate
6969									// Timestamps (SCTs). If the value is unset, the default behavior
6970									// by Cosign is used.
6971									"ctlog"?: {
6972										// IgnoreSCT defines whether to use the Signed Certificate
6973										// Timestamp (SCT) log to check for a certificate
6974										// timestamp. Default is false. Set to true if this was opted out
6975										// during signing.
6976										"ignoreSCT"?: bool
6977
6978										// PubKey, if set, is used to validate SCTs against a custom
6979										// source.
6980										"pubkey"?: string
6981
6982										// TSACertChain, if set, is the PEM-encoded certificate chain file
6983										// for the RFC3161 timestamp authority. Must
6984										// contain the root CA certificate. Optionally may contain
6985										// intermediate CA certificates, and
6986										// may contain the leaf TSA certificate if not present in the
6987										// timestamurce.
6988										"tsaCertChain"?: string
6989									}
6990
6991									// Rekor provides configuration for the Rekor transparency log
6992									// service. If an empty object
6993									// is provided the public instance of Rekor
6994									// (https://rekor.sigstore.dev) is used.
6995									"rekor"?: {
6996										// IgnoreTlog skips transparency log verification.
6997										"ignoreTlog"?: bool
6998
6999										// RekorPubKey is an optional PEM-encoded public key to use for a
7000										// custom Rekor.
7001										// If set, this will be used to validate transparency log
7002										// signatures from a custom Rekor.
7003										"pubkey"?: string
7004
7005										// URL is the address of the transparency log. Defaults to the
7006										// public Rekor log instance https://rekor.sigstore.dev.
7007										"url"?: string
7008									}
7009								}
7010
7011								// Keyless is a set of attribute used to verify a Sigstore keyless
7012								// attestor.
7013								// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
7014								"keyless"?: {
7015									// AdditionalExtensions are certificate-extensions used for
7016									// keyless signing.
7017									"additionalExtensions"?: [string]: string
7018
7019									// CTLog (certificate timestamp log) provides a configuration for
7020									// validation of Signed Certificate
7021									// Timestamps (SCTs). If the value is unset, the default behavior
7022									// by Cosign is used.
7023									"ctlog"?: {
7024										// IgnoreSCT defines whether to use the Signed Certificate
7025										// Timestamp (SCT) log to check for a certificate
7026										// timestamp. Default is false. Set to true if this was opted out
7027										// during signing.
7028										"ignoreSCT"?: bool
7029
7030										// PubKey, if set, is used to validate SCTs against a custom
7031										// source.
7032										"pubkey"?: string
7033
7034										// TSACertChain, if set, is the PEM-encoded certificate chain file
7035										// for the RFC3161 timestamp authority. Must
7036										// contain the root CA certificate. Optionally may contain
7037										// intermediate CA certificates, and
7038										// may contain the leaf TSA certificate if not present in the
7039										// timestamurce.
7040										"tsaCertChain"?: string
7041									}
7042
7043									// Issuer is the certificate issuer used for keyless signing.
7044									"issuer"?: string
7045
7046									// IssuerRegExp is the regular expression to match certificate
7047									// issuer used for keyless signing.
7048									"issuerRegExp"?: string
7049
7050									// Rekor provides configuration for the Rekor transparency log
7051									// service. If an empty object
7052									// is provided the public instance of Rekor
7053									// (https://rekor.sigstore.dev) is used.
7054									"rekor"?: {
7055										// IgnoreTlog skips transparency log verification.
7056										"ignoreTlog"?: bool
7057
7058										// RekorPubKey is an optional PEM-encoded public key to use for a
7059										// custom Rekor.
7060										// If set, this will be used to validate transparency log
7061										// signatures from a custom Rekor.
7062										"pubkey"?: string
7063
7064										// URL is the address of the transparency log. Defaults to the
7065										// public Rekor log instance https://rekor.sigstore.dev.
7066										"url"?: string
7067									}
7068
7069									// Roots is an optional set of PEM encoded trusted root
7070									// certificates.
7071									// If not provided, the system roots are used.
7072									"roots"?: string
7073
7074									// Subject is the verified identity used for keyless signing, for
7075									// example the email address.
7076									"subject"?: string
7077
7078									// SubjectRegExp is the regular expression to match identity used
7079									// for keyless signing, for example the email address.
7080									"subjectRegExp"?: string
7081								}
7082
7083								// Keys specifies one or more public keys.
7084								"keys"?: {
7085									// CTLog (certificate timestamp log) provides a configuration for
7086									// validation of Signed Certificate
7087									// Timestamps (SCTs). If the value is unset, the default behavior
7088									// by Cosign is used.
7089									"ctlog"?: {
7090										// IgnoreSCT defines whether to use the Signed Certificate
7091										// Timestamp (SCT) log to check for a certificate
7092										// timestamp. Default is false. Set to true if this was opted out
7093										// during signing.
7094										"ignoreSCT"?: bool
7095
7096										// PubKey, if set, is used to validate SCTs against a custom
7097										// source.
7098										"pubkey"?: string
7099
7100										// TSACertChain, if set, is the PEM-encoded certificate chain file
7101										// for the RFC3161 timestamp authority. Must
7102										// contain the root CA certificate. Optionally may contain
7103										// intermediate CA certificates, and
7104										// may contain the leaf TSA certificate if not present in the
7105										// timestamurce.
7106										"tsaCertChain"?: string
7107									}
7108
7109									// KMS provides the URI to the public key stored in a Key
7110									// Management System. See:
7111									// https://github.com/sigstore/cosign/blob/main/KMS.md
7112									"kms"?: string
7113
7114									// Keys is a set of X.509 public keys used to verify image
7115									// signatures. The keys can be directly
7116									// specified or can be a variable reference to a key specified in
7117									// a ConfigMap (see
7118									// https://kyverno.io/docs/writing-policies/variables/), or
7119									// reference a standard Kubernetes Secret
7120									// elsewhere in the cluster by specifying it in the format
7121									// "k8s://<namespace>/<secret_name>".
7122									// The named Secret must specify a key `cosign.pub` containing the
7123									// public key used for
7124									// verification, (see
7125									// https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
7126									// When multiple keys are specified each key is processed as a
7127									// separate staticKey entry
7128									// (.attestors[*].entries.keys) within the set of attestors and
7129									// the count is applied across the keys.
7130									"publicKeys"?: string
7131
7132									// Rekor provides configuration for the Rekor transparency log
7133									// service. If an empty object
7134									// is provided the public instance of Rekor
7135									// (https://rekor.sigstore.dev) is used.
7136									"rekor"?: {
7137										// IgnoreTlog skips transparency log verification.
7138										"ignoreTlog"?: bool
7139
7140										// RekorPubKey is an optional PEM-encoded public key to use for a
7141										// custom Rekor.
7142										// If set, this will be used to validate transparency log
7143										// signatures from a custom Rekor.
7144										"pubkey"?: string
7145
7146										// URL is the address of the transparency log. Defaults to the
7147										// public Rekor log instance https://rekor.sigstore.dev.
7148										"url"?: string
7149									}
7150
7151									// Reference to a Secret resource that contains a public key
7152									"secret"?: {
7153										// Name of the secret. The provided secret must contain a key
7154										// named cosign.pub.
7155										"name"!: string
7156
7157										// Namespace name where the Secret exists.
7158										"namespace"!: string
7159									}
7160
7161									// Deprecated. Use attestor.signatureAlgorithm instead.
7162									"signatureAlgorithm"?: string
7163								}
7164
7165								// Repository is an optional alternate OCI repository to use for
7166								// signatures and attestations that match this rule.
7167								// If specified Repository will override other OCI image
7168								// repository locations for this Attestor.
7169								"repository"?: string
7170
7171								// Specify signature algorithm for public keys. Supported values
7172								// are sha224, sha256, sha384 and sha512.
7173								"signatureAlgorithm"?: string
7174							}]
7175						}]
7176
7177						// DryRun configuration
7178						"dryRun"?: {
7179							"enable"?:    bool
7180							"namespace"?: string
7181						}
7182
7183						// Fields which will be ignored while comparing manifests.
7184						"ignoreFields"?: [...{
7185							"fields"?: [...string]
7186							"objects"?: [...{
7187								"group"?:     string
7188								"kind"?:      string
7189								"name"?:      string
7190								"namespace"?: string
7191								"version"?:   string
7192							}]
7193						}]
7194
7195						// Repository is an optional alternate OCI repository to use for
7196						// resource bundle reference.
7197						// The repository can be overridden per Attestor or Attestation.
7198						"repository"?: string
7199					}
7200
7201					// Message specifies a custom message to be displayed on failure.
7202					"message"?: string
7203
7204					// Pattern specifies an overlay-style pattern used to check
7205					// resources.
7206					"pattern"?: null | bool | number | string | [...] | {
7207						...
7208					}
7209
7210					// PodSecurity applies exemptions for Kubernetes Pod Security
7211					// admission
7212					// by specifying exclusions for Pod Security Standards controls.
7213					"podSecurity"?: {
7214						// Exclude specifies the Pod Security Standard controls to be
7215						// excluded.
7216						"exclude"?: [...{
7217							// ControlName specifies the name of the Pod Security Standard
7218							// control.
7219							// See:
7220							// https://kubernetes.io/docs/concepts/security/pod-security-standards/
7221							"controlName"!: "HostProcess" | "Host Namespaces" | "Privileged Containers" | "Capabilities" | "HostPath Volumes" | "Host Ports" | "AppArmor" | "SELinux" | "/proc Mount Type" | "Seccomp" | "Sysctls" | "Volume Types" | "Privilege Escalation" | "Running as Non-root" | "Running as Non-root user"
7222
7223							// Images selects matching containers and applies the container
7224							// level PSS.
7225							// Each image is the image name consisting of the registry
7226							// address, repository, image, and tag.
7227							// Empty list matches no containers, PSS checks are applied at the
7228							// pod level only.
7229							// Wildcards ('*' and '?') are allowed. See:
7230							// https://kubernetes.io/docs/concepts/containers/images.
7231							"images"?: [...string]
7232
7233							// RestrictedField selects the field for the given Pod Security
7234							// Standard control.
7235							// When not set, all restricted fields for the control are
7236							// selected.
7237							"restrictedField"?: string
7238
7239							// Values defines the allowed values that can be excluded.
7240							"values"?: [...string]
7241						}]
7242
7243						// Level defines the Pod Security Standard level to be applied to
7244						// workloads.
7245						// Allowed values are privileged, baseline, and restricted.
7246						"level"?: "privileged" | "baseline" | "restricted"
7247
7248						// Version defines the Pod Security Standard versions that
7249						// Kubernetes supports.
7250						// Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
7251						// v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
7252						"version"?: "v1.19" | "v1.20" | "v1.21" | "v1.22" | "v1.23" | "v1.24" | "v1.25" | "v1.26" | "v1.27" | "v1.28" | "v1.29" | "latest"
7253					}
7254				}
7255
7256				// VerifyImages is used to verify image signatures and mutate them
7257				// to add a digest
7258				"verifyImages"?: [...{
7259					// Deprecated.
7260					"additionalExtensions"?: [string]: string
7261
7262					// Deprecated. Use annotations per Attestor instead.
7263					"annotations"?: {
7264						[string]: string
7265					}
7266
7267					// Attestations are optional checks for signed in-toto Statements
7268					// used to verify the image.
7269					// See https://github.com/in-toto/attestation. Kyverno fetches
7270					// signed attestations from the
7271					// OCI registry and decodes them into a list of Statement
7272					// declarations.
7273					"attestations"?: [...{
7274						// Attestors specify the required attestors (i.e. authorities).
7275						"attestors"?: [...{
7276							// Count specifies the required number of entries that must match.
7277							// If the count is null, all entries must match
7278							// (a logical AND). If the count is 1, at least one entry must
7279							// match (a logical OR). If the count contains a
7280							// value N, then N must be less than or equal to the size of
7281							// entries, and at least N entries must match.
7282							"count"?: int & >=1
7283
7284							// Entries contains the available attestors. An attestor can be a
7285							// static key,
7286							// attributes for keyless verification, or a nested attestor
7287							// declaration.
7288							"entries"?: [...{
7289								// Annotations are used for image verification.
7290								// Every specified key-value pair must exist and match in the
7291								// verified payload.
7292								// The payload may contain other key-value pairs.
7293								"annotations"?: [string]: string
7294
7295								// Attestor is a nested set of Attestor used to specify a more
7296								// complex set of match authorities.
7297								"attestor"?: null | bool | number | string | [...] | {
7298									...
7299								}
7300
7301								// Certificates specifies one or more certificates.
7302								"certificates"?: {
7303									// Cert is an optional PEM-encoded public certificate.
7304									"cert"?: string
7305
7306									// CertChain is an optional PEM encoded set of certificates used
7307									// to verify.
7308									"certChain"?: string
7309
7310									// CTLog (certificate timestamp log) provides a configuration for
7311									// validation of Signed Certificate
7312									// Timestamps (SCTs). If the value is unset, the default behavior
7313									// by Cosign is used.
7314									"ctlog"?: {
7315										// IgnoreSCT defines whether to use the Signed Certificate
7316										// Timestamp (SCT) log to check for a certificate
7317										// timestamp. Default is false. Set to true if this was opted out
7318										// during signing.
7319										"ignoreSCT"?: bool
7320
7321										// PubKey, if set, is used to validate SCTs against a custom
7322										// source.
7323										"pubkey"?: string
7324
7325										// TSACertChain, if set, is the PEM-encoded certificate chain file
7326										// for the RFC3161 timestamp authority. Must
7327										// contain the root CA certificate. Optionally may contain
7328										// intermediate CA certificates, and
7329										// may contain the leaf TSA certificate if not present in the
7330										// timestamurce.
7331										"tsaCertChain"?: string
7332									}
7333
7334									// Rekor provides configuration for the Rekor transparency log
7335									// service. If an empty object
7336									// is provided the public instance of Rekor
7337									// (https://rekor.sigstore.dev) is used.
7338									"rekor"?: {
7339										// IgnoreTlog skips transparency log verification.
7340										"ignoreTlog"?: bool
7341
7342										// RekorPubKey is an optional PEM-encoded public key to use for a
7343										// custom Rekor.
7344										// If set, this will be used to validate transparency log
7345										// signatures from a custom Rekor.
7346										"pubkey"?: string
7347
7348										// URL is the address of the transparency log. Defaults to the
7349										// public Rekor log instance https://rekor.sigstore.dev.
7350										"url"?: string
7351									}
7352								}
7353
7354								// Keyless is a set of attribute used to verify a Sigstore keyless
7355								// attestor.
7356								// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
7357								"keyless"?: {
7358									// AdditionalExtensions are certificate-extensions used for
7359									// keyless signing.
7360									"additionalExtensions"?: [string]: string
7361
7362									// CTLog (certificate timestamp log) provides a configuration for
7363									// validation of Signed Certificate
7364									// Timestamps (SCTs). If the value is unset, the default behavior
7365									// by Cosign is used.
7366									"ctlog"?: {
7367										// IgnoreSCT defines whether to use the Signed Certificate
7368										// Timestamp (SCT) log to check for a certificate
7369										// timestamp. Default is false. Set to true if this was opted out
7370										// during signing.
7371										"ignoreSCT"?: bool
7372
7373										// PubKey, if set, is used to validate SCTs against a custom
7374										// source.
7375										"pubkey"?: string
7376
7377										// TSACertChain, if set, is the PEM-encoded certificate chain file
7378										// for the RFC3161 timestamp authority. Must
7379										// contain the root CA certificate. Optionally may contain
7380										// intermediate CA certificates, and
7381										// may contain the leaf TSA certificate if not present in the
7382										// timestamurce.
7383										"tsaCertChain"?: string
7384									}
7385
7386									// Issuer is the certificate issuer used for keyless signing.
7387									"issuer"?: string
7388
7389									// IssuerRegExp is the regular expression to match certificate
7390									// issuer used for keyless signing.
7391									"issuerRegExp"?: string
7392
7393									// Rekor provides configuration for the Rekor transparency log
7394									// service. If an empty object
7395									// is provided the public instance of Rekor
7396									// (https://rekor.sigstore.dev) is used.
7397									"rekor"?: {
7398										// IgnoreTlog skips transparency log verification.
7399										"ignoreTlog"?: bool
7400
7401										// RekorPubKey is an optional PEM-encoded public key to use for a
7402										// custom Rekor.
7403										// If set, this will be used to validate transparency log
7404										// signatures from a custom Rekor.
7405										"pubkey"?: string
7406
7407										// URL is the address of the transparency log. Defaults to the
7408										// public Rekor log instance https://rekor.sigstore.dev.
7409										"url"?: string
7410									}
7411
7412									// Roots is an optional set of PEM encoded trusted root
7413									// certificates.
7414									// If not provided, the system roots are used.
7415									"roots"?: string
7416
7417									// Subject is the verified identity used for keyless signing, for
7418									// example the email address.
7419									"subject"?: string
7420
7421									// SubjectRegExp is the regular expression to match identity used
7422									// for keyless signing, for example the email address.
7423									"subjectRegExp"?: string
7424								}
7425
7426								// Keys specifies one or more public keys.
7427								"keys"?: {
7428									// CTLog (certificate timestamp log) provides a configuration for
7429									// validation of Signed Certificate
7430									// Timestamps (SCTs). If the value is unset, the default behavior
7431									// by Cosign is used.
7432									"ctlog"?: {
7433										// IgnoreSCT defines whether to use the Signed Certificate
7434										// Timestamp (SCT) log to check for a certificate
7435										// timestamp. Default is false. Set to true if this was opted out
7436										// during signing.
7437										"ignoreSCT"?: bool
7438
7439										// PubKey, if set, is used to validate SCTs against a custom
7440										// source.
7441										"pubkey"?: string
7442
7443										// TSACertChain, if set, is the PEM-encoded certificate chain file
7444										// for the RFC3161 timestamp authority. Must
7445										// contain the root CA certificate. Optionally may contain
7446										// intermediate CA certificates, and
7447										// may contain the leaf TSA certificate if not present in the
7448										// timestamurce.
7449										"tsaCertChain"?: string
7450									}
7451
7452									// KMS provides the URI to the public key stored in a Key
7453									// Management System. See:
7454									// https://github.com/sigstore/cosign/blob/main/KMS.md
7455									"kms"?: string
7456
7457									// Keys is a set of X.509 public keys used to verify image
7458									// signatures. The keys can be directly
7459									// specified or can be a variable reference to a key specified in
7460									// a ConfigMap (see
7461									// https://kyverno.io/docs/writing-policies/variables/), or
7462									// reference a standard Kubernetes Secret
7463									// elsewhere in the cluster by specifying it in the format
7464									// "k8s://<namespace>/<secret_name>".
7465									// The named Secret must specify a key `cosign.pub` containing the
7466									// public key used for
7467									// verification, (see
7468									// https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
7469									// When multiple keys are specified each key is processed as a
7470									// separate staticKey entry
7471									// (.attestors[*].entries.keys) within the set of attestors and
7472									// the count is applied across the keys.
7473									"publicKeys"?: string
7474
7475									// Rekor provides configuration for the Rekor transparency log
7476									// service. If an empty object
7477									// is provided the public instance of Rekor
7478									// (https://rekor.sigstore.dev) is used.
7479									"rekor"?: {
7480										// IgnoreTlog skips transparency log verification.
7481										"ignoreTlog"?: bool
7482
7483										// RekorPubKey is an optional PEM-encoded public key to use for a
7484										// custom Rekor.
7485										// If set, this will be used to validate transparency log
7486										// signatures from a custom Rekor.
7487										"pubkey"?: string
7488
7489										// URL is the address of the transparency log. Defaults to the
7490										// public Rekor log instance https://rekor.sigstore.dev.
7491										"url"?: string
7492									}
7493
7494									// Reference to a Secret resource that contains a public key
7495									"secret"?: {
7496										// Name of the secret. The provided secret must contain a key
7497										// named cosign.pub.
7498										"name"!: string
7499
7500										// Namespace name where the Secret exists.
7501										"namespace"!: string
7502									}
7503
7504									// Deprecated. Use attestor.signatureAlgorithm instead.
7505									"signatureAlgorithm"?: string
7506								}
7507
7508								// Repository is an optional alternate OCI repository to use for
7509								// signatures and attestations that match this rule.
7510								// If specified Repository will override other OCI image
7511								// repository locations for this Attestor.
7512								"repository"?: string
7513
7514								// Specify signature algorithm for public keys. Supported values
7515								// are sha224, sha256, sha384 and sha512.
7516								"signatureAlgorithm"?: string
7517							}]
7518						}]
7519
7520						// Conditions are used to verify attributes within a Predicate. If
7521						// no Conditions are specified
7522						// the attestation check is satisfied as long there are predicates
7523						// that match the predicate type.
7524						"conditions"?: [...{
7525							// AllConditions enable variable-based conditional rule execution.
7526							// This is useful for
7527							// finer control of when an rule is applied. A condition can
7528							// reference object data
7529							// using JMESPath notation.
7530							// Here, all of the conditions need to pass
7531							"all"?: [...{
7532								// Key is the context entry (using JMESPath) for conditional rule
7533								// evaluation.
7534								"key"?: null | bool | number | string | [...] | {
7535									...
7536								}
7537
7538								// Message is an optional display message
7539								"message"?: string
7540
7541								// Operator is the conditional operation to perform. Valid
7542								// operators are:
7543								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
7544								// GreaterThanOrEquals,
7545								// GreaterThan, LessThanOrEquals, LessThan,
7546								// DurationGreaterThanOrEquals, DurationGreaterThan,
7547								// DurationLessThanOrEquals, DurationLessThan
7548								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
7549
7550								// Value is the conditional value, or set of values. The values
7551								// can be fixed set
7552								// or can be variables declared using JMESPath.
7553								"value"?: null | bool | number | string | [...] | {
7554									...
7555								}
7556							}]
7557
7558							// AnyConditions enable variable-based conditional rule execution.
7559							// This is useful for
7560							// finer control of when an rule is applied. A condition can
7561							// reference object data
7562							// using JMESPath notation.
7563							// Here, at least one of the conditions need to pass
7564							"any"?: [...{
7565								// Key is the context entry (using JMESPath) for conditional rule
7566								// evaluation.
7567								"key"?: null | bool | number | string | [...] | {
7568									...
7569								}
7570
7571								// Message is an optional display message
7572								"message"?: string
7573
7574								// Operator is the conditional operation to perform. Valid
7575								// operators are:
7576								// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
7577								// GreaterThanOrEquals,
7578								// GreaterThan, LessThanOrEquals, LessThan,
7579								// DurationGreaterThanOrEquals, DurationGreaterThan,
7580								// DurationLessThanOrEquals, DurationLessThan
7581								"operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
7582
7583								// Value is the conditional value, or set of values. The values
7584								// can be fixed set
7585								// or can be variables declared using JMESPath.
7586								"value"?: null | bool | number | string | [...] | {
7587									...
7588								}
7589							}]
7590						}]
7591
7592						// Name is the variable name.
7593						"name"?: string
7594
7595						// Deprecated in favour of 'Type', to be removed soon
7596						"predicateType"?: string
7597
7598						// Type defines the type of attestation contained within the
7599						// Statement.
7600						"type"?: string
7601					}]
7602
7603					// Attestors specified the required attestors (i.e. authorities)
7604					"attestors"?: [...{
7605						// Count specifies the required number of entries that must match.
7606						// If the count is null, all entries must match
7607						// (a logical AND). If the count is 1, at least one entry must
7608						// match (a logical OR). If the count contains a
7609						// value N, then N must be less than or equal to the size of
7610						// entries, and at least N entries must match.
7611						"count"?: int & >=1
7612
7613						// Entries contains the available attestors. An attestor can be a
7614						// static key,
7615						// attributes for keyless verification, or a nested attestor
7616						// declaration.
7617						"entries"?: [...{
7618							// Annotations are used for image verification.
7619							// Every specified key-value pair must exist and match in the
7620							// verified payload.
7621							// The payload may contain other key-value pairs.
7622							"annotations"?: [string]: string
7623
7624							// Attestor is a nested set of Attestor used to specify a more
7625							// complex set of match authorities.
7626							"attestor"?: null | bool | number | string | [...] | {
7627								...
7628							}
7629
7630							// Certificates specifies one or more certificates.
7631							"certificates"?: {
7632								// Cert is an optional PEM-encoded public certificate.
7633								"cert"?: string
7634
7635								// CertChain is an optional PEM encoded set of certificates used
7636								// to verify.
7637								"certChain"?: string
7638
7639								// CTLog (certificate timestamp log) provides a configuration for
7640								// validation of Signed Certificate
7641								// Timestamps (SCTs). If the value is unset, the default behavior
7642								// by Cosign is used.
7643								"ctlog"?: {
7644									// IgnoreSCT defines whether to use the Signed Certificate
7645									// Timestamp (SCT) log to check for a certificate
7646									// timestamp. Default is false. Set to true if this was opted out
7647									// during signing.
7648									"ignoreSCT"?: bool
7649
7650									// PubKey, if set, is used to validate SCTs against a custom
7651									// source.
7652									"pubkey"?: string
7653
7654									// TSACertChain, if set, is the PEM-encoded certificate chain file
7655									// for the RFC3161 timestamp authority. Must
7656									// contain the root CA certificate. Optionally may contain
7657									// intermediate CA certificates, and
7658									// may contain the leaf TSA certificate if not present in the
7659									// timestamurce.
7660									"tsaCertChain"?: string
7661								}
7662
7663								// Rekor provides configuration for the Rekor transparency log
7664								// service. If an empty object
7665								// is provided the public instance of Rekor
7666								// (https://rekor.sigstore.dev) is used.
7667								"rekor"?: {
7668									// IgnoreTlog skips transparency log verification.
7669									"ignoreTlog"?: bool
7670
7671									// RekorPubKey is an optional PEM-encoded public key to use for a
7672									// custom Rekor.
7673									// If set, this will be used to validate transparency log
7674									// signatures from a custom Rekor.
7675									"pubkey"?: string
7676
7677									// URL is the address of the transparency log. Defaults to the
7678									// public Rekor log instance https://rekor.sigstore.dev.
7679									"url"?: string
7680								}
7681							}
7682
7683							// Keyless is a set of attribute used to verify a Sigstore keyless
7684							// attestor.
7685							// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
7686							"keyless"?: {
7687								// AdditionalExtensions are certificate-extensions used for
7688								// keyless signing.
7689								"additionalExtensions"?: [string]: string
7690
7691								// CTLog (certificate timestamp log) provides a configuration for
7692								// validation of Signed Certificate
7693								// Timestamps (SCTs). If the value is unset, the default behavior
7694								// by Cosign is used.
7695								"ctlog"?: {
7696									// IgnoreSCT defines whether to use the Signed Certificate
7697									// Timestamp (SCT) log to check for a certificate
7698									// timestamp. Default is false. Set to true if this was opted out
7699									// during signing.
7700									"ignoreSCT"?: bool
7701
7702									// PubKey, if set, is used to validate SCTs against a custom
7703									// source.
7704									"pubkey"?: string
7705
7706									// TSACertChain, if set, is the PEM-encoded certificate chain file
7707									// for the RFC3161 timestamp authority. Must
7708									// contain the root CA certificate. Optionally may contain
7709									// intermediate CA certificates, and
7710									// may contain the leaf TSA certificate if not present in the
7711									// timestamurce.
7712									"tsaCertChain"?: string
7713								}
7714
7715								// Issuer is the certificate issuer used for keyless signing.
7716								"issuer"?: string
7717
7718								// IssuerRegExp is the regular expression to match certificate
7719								// issuer used for keyless signing.
7720								"issuerRegExp"?: string
7721
7722								// Rekor provides configuration for the Rekor transparency log
7723								// service. If an empty object
7724								// is provided the public instance of Rekor
7725								// (https://rekor.sigstore.dev) is used.
7726								"rekor"?: {
7727									// IgnoreTlog skips transparency log verification.
7728									"ignoreTlog"?: bool
7729
7730									// RekorPubKey is an optional PEM-encoded public key to use for a
7731									// custom Rekor.
7732									// If set, this will be used to validate transparency log
7733									// signatures from a custom Rekor.
7734									"pubkey"?: string
7735
7736									// URL is the address of the transparency log. Defaults to the
7737									// public Rekor log instance https://rekor.sigstore.dev.
7738									"url"?: string
7739								}
7740
7741								// Roots is an optional set of PEM encoded trusted root
7742								// certificates.
7743								// If not provided, the system roots are used.
7744								"roots"?: string
7745
7746								// Subject is the verified identity used for keyless signing, for
7747								// example the email address.
7748								"subject"?: string
7749
7750								// SubjectRegExp is the regular expression to match identity used
7751								// for keyless signing, for example the email address.
7752								"subjectRegExp"?: string
7753							}
7754
7755							// Keys specifies one or more public keys.
7756							"keys"?: {
7757								// CTLog (certificate timestamp log) provides a configuration for
7758								// validation of Signed Certificate
7759								// Timestamps (SCTs). If the value is unset, the default behavior
7760								// by Cosign is used.
7761								"ctlog"?: {
7762									// IgnoreSCT defines whether to use the Signed Certificate
7763									// Timestamp (SCT) log to check for a certificate
7764									// timestamp. Default is false. Set to true if this was opted out
7765									// during signing.
7766									"ignoreSCT"?: bool
7767
7768									// PubKey, if set, is used to validate SCTs against a custom
7769									// source.
7770									"pubkey"?: string
7771
7772									// TSACertChain, if set, is the PEM-encoded certificate chain file
7773									// for the RFC3161 timestamp authority. Must
7774									// contain the root CA certificate. Optionally may contain
7775									// intermediate CA certificates, and
7776									// may contain the leaf TSA certificate if not present in the
7777									// timestamurce.
7778									"tsaCertChain"?: string
7779								}
7780
7781								// KMS provides the URI to the public key stored in a Key
7782								// Management System. See:
7783								// https://github.com/sigstore/cosign/blob/main/KMS.md
7784								"kms"?: string
7785
7786								// Keys is a set of X.509 public keys used to verify image
7787								// signatures. The keys can be directly
7788								// specified or can be a variable reference to a key specified in
7789								// a ConfigMap (see
7790								// https://kyverno.io/docs/writing-policies/variables/), or
7791								// reference a standard Kubernetes Secret
7792								// elsewhere in the cluster by specifying it in the format
7793								// "k8s://<namespace>/<secret_name>".
7794								// The named Secret must specify a key `cosign.pub` containing the
7795								// public key used for
7796								// verification, (see
7797								// https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
7798								// When multiple keys are specified each key is processed as a
7799								// separate staticKey entry
7800								// (.attestors[*].entries.keys) within the set of attestors and
7801								// the count is applied across the keys.
7802								"publicKeys"?: string
7803
7804								// Rekor provides configuration for the Rekor transparency log
7805								// service. If an empty object
7806								// is provided the public instance of Rekor
7807								// (https://rekor.sigstore.dev) is used.
7808								"rekor"?: {
7809									// IgnoreTlog skips transparency log verification.
7810									"ignoreTlog"?: bool
7811
7812									// RekorPubKey is an optional PEM-encoded public key to use for a
7813									// custom Rekor.
7814									// If set, this will be used to validate transparency log
7815									// signatures from a custom Rekor.
7816									"pubkey"?: string
7817
7818									// URL is the address of the transparency log. Defaults to the
7819									// public Rekor log instance https://rekor.sigstore.dev.
7820									"url"?: string
7821								}
7822
7823								// Reference to a Secret resource that contains a public key
7824								"secret"?: {
7825									// Name of the secret. The provided secret must contain a key
7826									// named cosign.pub.
7827									"name"!: string
7828
7829									// Namespace name where the Secret exists.
7830									"namespace"!: string
7831								}
7832
7833								// Deprecated. Use attestor.signatureAlgorithm instead.
7834								"signatureAlgorithm"?: string
7835							}
7836
7837							// Repository is an optional alternate OCI repository to use for
7838							// signatures and attestations that match this rule.
7839							// If specified Repository will override other OCI image
7840							// repository locations for this Attestor.
7841							"repository"?: string
7842
7843							// Specify signature algorithm for public keys. Supported values
7844							// are sha224, sha256, sha384 and sha512.
7845							"signatureAlgorithm"?: string
7846						}]
7847					}]
7848
7849					// CosignOCI11 enables the experimental OCI 1.1 behaviour in
7850					// cosign image verification.
7851					// Defaults to false.
7852					"cosignOCI11"?: bool
7853
7854					// Allowed values are Audit or Enforce.
7855					"failureAction"?: "Audit" | "Enforce"
7856
7857					// Deprecated. Use ImageReferences instead.
7858					"image"?: string
7859
7860					// ImageReferences is a list of matching image reference patterns.
7861					// At least one pattern in the
7862					// list must match the image for the rule to apply. Each image
7863					// reference consists of a registry
7864					// address (defaults to docker.io), repository, image, and tag
7865					// (defaults to latest).
7866					// Wildcards ('*' and '?') are allowed. See:
7867					// https://kubernetes.io/docs/concepts/containers/images.
7868					"imageReferences"?: [...string]
7869
7870					// ImageRegistryCredentials provides credentials that will be used
7871					// for authentication with registry.
7872					"imageRegistryCredentials"?: {
7873						// AllowInsecureRegistry allows insecure access to a registry.
7874						"allowInsecureRegistry"?: bool
7875
7876						// Providers specifies a list of OCI Registry names, whose
7877						// authentication providers are provided.
7878						// It can be of one of these values:
7879						// default,google,azure,amazon,github.
7880						"providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
7881
7882						// Secrets specifies a list of secrets that are provided for
7883						// credentials.
7884						// Secrets must live in the Kyverno namespace.
7885						"secrets"?: [...string]
7886					}
7887
7888					// Deprecated. Use KeylessAttestor instead.
7889					"issuer"?: string
7890
7891					// Deprecated. Use StaticKeyAttestor instead.
7892					"key"?: string
7893
7894					// MutateDigest enables replacement of image tags with digests.
7895					// Defaults to true.
7896					"mutateDigest"?: bool
7897
7898					// Repository is an optional alternate OCI repository to use for
7899					// image signatures and attestations that match this rule.
7900					// If specified Repository will override the default OCI image
7901					// repository configured for the installation.
7902					// The repository can also be overridden per Attestor or
7903					// Attestation.
7904					"repository"?: string
7905
7906					// Required validates that images are verified i.e. have matched
7907					// passed a signature or attestation check.
7908					"required"?: bool
7909
7910					// Deprecated. Use KeylessAttestor instead.
7911					"roots"?: string
7912
7913					// SkipImageReferences is a list of matching image reference
7914					// patterns that should be skipped.
7915					// At least one pattern in the list must match the image for the
7916					// rule to be skipped. Each image reference
7917					// consists of a registry address (defaults to docker.io),
7918					// repository, image, and tag (defaults to latest).
7919					// Wildcards ('*' and '?') are allowed. See:
7920					// https://kubernetes.io/docs/concepts/containers/images.
7921					"skipImageReferences"?: [...string]
7922
7923					// Deprecated. Use KeylessAttestor instead.
7924					"subject"?: string
7925
7926					// Type specifies the method of signature validation. The allowed
7927					// options
7928					// are Cosign, Sigstore Bundle and Notary. By default Cosign is
7929					// used if a type is not specified.
7930					"type"?: "Cosign" | "SigstoreBundle" | "Notary"
7931
7932					// UseCache enables caching of image verify responses for this
7933					// rule.
7934					"useCache"?: bool
7935
7936					// Validation checks conditions across multiple image
7937					// verification attestations or context entries
7938					"validate"?: {
7939						// Deny defines conditions used to pass or fail a validation rule.
7940						"deny"?: {
7941							// Multiple conditions can be declared under an `any` or `all`
7942							// statement. A direct list
7943							// of conditions (without `any` or `all` statements) is also
7944							// supported for backwards compatibility
7945							// but will be deprecated in the next major release.
7946							// See:
7947							// https://kyverno.io/docs/writing-policies/validate/#deny-rules
7948							"conditions"?: null | bool | number | string | [...] | {
7949								...
7950							}
7951						}
7952
7953						// Message specifies a custom message to be displayed on failure.
7954						"message"?: string
7955					}
7956
7957					// VerifyDigest validates that images have a digest.
7958					"verifyDigest"?: bool
7959				}]
7960			}]
7961		}
7962		"conditions"?: [...{
7963			// lastTransitionTime is the last time the condition transitioned
7964			// from one status to another.
7965			// This should be when the underlying condition changed. If that
7966			// is not known, then using the time when the API field changed
7967			// is acceptable.
7968			"lastTransitionTime"!: time.Time
7969
7970			// message is a human readable message indicating details about
7971			// the transition.
7972			// This may be an empty string.
7973			"message"!: strings.MaxRunes(
7974					32768)
7975
7976			// observedGeneration represents the .metadata.generation that the
7977			// condition was set based upon.
7978			// For instance, if .metadata.generation is currently 12, but the
7979			// .status.conditions[x].observedGeneration is 9, the condition
7980			// is out of date
7981			// with respect to the current state of the instance.
7982			"observedGeneration"?: int64 & int & >=0
7983
7984			// reason contains a programmatic identifier indicating the reason
7985			// for the condition's last transition.
7986			// Producers of specific condition types may define expected
7987			// values and meanings for this field,
7988			// and whether the values are considered a guaranteed API.
7989			// The value should be a CamelCase string.
7990			// This field may not be empty.
7991			"reason"!: strings.MaxRunes(
7992					1024) & strings.MinRunes(
7993					1) & =~"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"
7994
7995			// status of the condition, one of True, False, Unknown.
7996			"status"!: "True" | "False" | "Unknown"
7997
7998			// type of condition in CamelCase or in foo.example.com/CamelCase.
7999			"type"!: strings.MaxRunes(
8000					316) & =~"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"
8001		}]
8002
8003		// Deprecated in favor of Conditions
8004		"ready"?: bool
8005
8006		// RuleCountStatus contains four variables which describes counts
8007		// for
8008		// validate, generate, mutate and verify images rules
8009		"rulecount"?: {
8010			// Count for generate rules in policy
8011			"generate"!: int
8012
8013			// Count for mutate rules in policy
8014			"mutate"!: int
8015
8016			// Count for validate rules in policy
8017			"validate"!: int
8018
8019			// Count for verify image rules in policy
8020			"verifyimages"!: int
8021		}
8022
8023		// ValidatingAdmissionPolicy contains status information
8024		"validatingadmissionpolicy"?: {
8025			// Generated indicates whether a validating admission policy is
8026			// generated from the policy or not
8027			"generated"!: bool
8028
8029			// Message is a human readable message indicating details about
8030			// the generation of validating admission policy
8031			// It is an empty string when validating admission policy is
8032			// successfully generated.
8033			"message"!: string
8034		}
8035	}
8036
8037	_embeddedResource: {
8038		"apiVersion"!: string
8039		"kind"!:       string
8040		"metadata"?: {
8041			...
8042		}
8043	}
8044	apiVersion: "kyverno.io/v2beta1"
8045	kind:       "Policy"
8046	metadata!: {
8047		"name"!:      string
8048		"namespace"!: string
8049		"labels"?: {
8050			[string]: string
8051		}
8052		"annotations"?: {
8053			[string]: string
8054		}
8055		...
8056	}
8057}