--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.17.3 labels: app.kubernetes.io/component: crds app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno-crds app.kubernetes.io/version: 3.4.1 name: clusterpolicies.kyverno.io spec: group: kyverno.io names: categories: - kyverno kind: ClusterPolicy listKind: ClusterPolicyList plural: clusterpolicies shortNames: - cpol singular: clusterpolicy scope: Cluster versions: - additionalPrinterColumns: - jsonPath: .spec.admission name: ADMISSION type: boolean - jsonPath: .spec.background name: BACKGROUND type: boolean - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string - jsonPath: .metadata.creationTimestamp name: AGE type: date - jsonPath: .spec.failurePolicy name: FAILURE POLICY priority: 1 type: string - jsonPath: .status.rulecount.validate name: VALIDATE priority: 1 type: integer - jsonPath: .status.rulecount.mutate name: MUTATE priority: 1 type: integer - jsonPath: .status.rulecount.generate name: GENERATE priority: 1 type: integer - jsonPath: .status.rulecount.verifyimages name: VERIFY IMAGES priority: 1 type: integer - jsonPath: .status.conditions[?(@.type == "Ready")].message name: MESSAGE type: string name: v1 schema: openAPIV3Schema: properties: apiVersion: type: string kind: type: string metadata: type: object spec: properties: admission: default: true type: boolean applyRules: enum: - All - One type: string background: default: true type: boolean emitWarning: default: false type: boolean failurePolicy: enum: - Ignore - Fail type: string generateExisting: type: boolean generateExistingOnPolicyUpdate: type: boolean mutateExistingOnPolicyUpdate: type: boolean rules: items: properties: celPreconditions: items: properties: expression: type: string name: type: string required: - expression - name type: object type: array context: items: oneOf: - required: - configMap - required: - apiCall - required: - imageRegistry - required: - variable - required: - globalReference properties: apiCall: properties: data: items: properties: key: type: string value: x-kubernetes-preserve-unknown-fields: true required: - key - value type: object type: array default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string method: default: GET enum: - GET - POST type: string service: properties: caBundle: type: string headers: items: properties: key: type: string value: type: string required: - key - value type: object type: array url: type: string required: - url type: object urlPath: type: string type: object configMap: properties: name: type: string namespace: type: string required: - name type: object globalReference: properties: jmesPath: type: string name: type: string required: - name type: object imageRegistry: properties: imageRegistryCredentials: properties: allowInsecureRegistry: type: boolean providers: items: enum: - default - amazon - azure - google - github type: string type: array secrets: items: type: string type: array type: object jmesPath: type: string reference: type: string required: - reference type: object name: type: string variable: properties: default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string value: x-kubernetes-preserve-unknown-fields: true type: object required: - name type: object type: array exclude: not: required: - any - all properties: all: items: properties: clusterRoles: items: type: string type: array resources: not: required: - name - names properties: annotations: additionalProperties: type: string type: object kinds: items: type: string type: array name: type: string names: items: type: string type: array namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array operations: items: enum: - CREATE - CONNECT - UPDATE - DELETE type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object x-kubernetes-map-type: atomic type: array type: object type: array any: items: properties: clusterRoles: items: type: string type: array resources: not: required: - name - names properties: annotations: additionalProperties: type: string type: object kinds: items: type: string type: array name: type: string names: items: type: string type: array namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array operations: items: enum: - CREATE - CONNECT - UPDATE - DELETE type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object x-kubernetes-map-type: atomic type: array type: object type: array clusterRoles: items: type: string type: array resources: not: required: - name - names properties: annotations: additionalProperties: type: string type: object kinds: items: type: string type: array name: type: string names: items: type: string type: array namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array operations: items: enum: - CREATE - CONNECT - UPDATE - DELETE type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object x-kubernetes-map-type: atomic type: array type: object generate: properties: apiVersion: type: string clone: properties: name: type: string namespace: type: string type: object cloneList: properties: kinds: items: type: string type: array namespace: type: string selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object data: x-kubernetes-preserve-unknown-fields: true foreach: items: properties: apiVersion: type: string clone: properties: name: type: string namespace: type: string type: object cloneList: properties: kinds: items: type: string type: array namespace: type: string selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object context: items: oneOf: - required: - configMap - required: - apiCall - required: - imageRegistry - required: - variable - required: - globalReference properties: apiCall: properties: data: items: properties: key: type: string value: x-kubernetes-preserve-unknown-fields: true required: - key - value type: object type: array default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string method: default: GET enum: - GET - POST type: string service: properties: caBundle: type: string headers: items: properties: key: type: string value: type: string required: - key - value type: object type: array url: type: string required: - url type: object urlPath: type: string type: object configMap: properties: name: type: string namespace: type: string required: - name type: object globalReference: properties: jmesPath: type: string name: type: string required: - name type: object imageRegistry: properties: imageRegistryCredentials: properties: allowInsecureRegistry: type: boolean providers: items: enum: - default - amazon - azure - google - github type: string type: array secrets: items: type: string type: array type: object jmesPath: type: string reference: type: string required: - reference type: object name: type: string variable: properties: default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string value: x-kubernetes-preserve-unknown-fields: true type: object required: - name type: object type: array data: x-kubernetes-preserve-unknown-fields: true kind: type: string list: type: string name: type: string namespace: type: string preconditions: properties: all: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array any: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array type: object x-kubernetes-preserve-unknown-fields: true uid: type: string type: object type: array generateExisting: type: boolean kind: type: string name: type: string namespace: type: string orphanDownstreamOnPolicyDelete: type: boolean synchronize: type: boolean uid: type: string type: object imageExtractors: additionalProperties: items: properties: jmesPath: type: string key: type: string name: type: string path: type: string value: type: string required: - path type: object type: array type: object match: not: required: - any - all properties: all: items: properties: clusterRoles: items: type: string type: array resources: not: required: - name - names properties: annotations: additionalProperties: type: string type: object kinds: items: type: string type: array name: type: string names: items: type: string type: array namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array operations: items: enum: - CREATE - CONNECT - UPDATE - DELETE type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object x-kubernetes-map-type: atomic type: array type: object type: array any: items: properties: clusterRoles: items: type: string type: array resources: not: required: - name - names properties: annotations: additionalProperties: type: string type: object kinds: items: type: string type: array name: type: string names: items: type: string type: array namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array operations: items: enum: - CREATE - CONNECT - UPDATE - DELETE type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object x-kubernetes-map-type: atomic type: array type: object type: array clusterRoles: items: type: string type: array resources: not: required: - name - names properties: annotations: additionalProperties: type: string type: object kinds: items: type: string type: array name: type: string names: items: type: string type: array namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array operations: items: enum: - CREATE - CONNECT - UPDATE - DELETE type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object x-kubernetes-map-type: atomic type: array type: object mutate: properties: foreach: items: properties: context: items: oneOf: - required: - configMap - required: - apiCall - required: - imageRegistry - required: - variable - required: - globalReference properties: apiCall: properties: data: items: properties: key: type: string value: x-kubernetes-preserve-unknown-fields: true required: - key - value type: object type: array default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string method: default: GET enum: - GET - POST type: string service: properties: caBundle: type: string headers: items: properties: key: type: string value: type: string required: - key - value type: object type: array url: type: string required: - url type: object urlPath: type: string type: object configMap: properties: name: type: string namespace: type: string required: - name type: object globalReference: properties: jmesPath: type: string name: type: string required: - name type: object imageRegistry: properties: imageRegistryCredentials: properties: allowInsecureRegistry: type: boolean providers: items: enum: - default - amazon - azure - google - github type: string type: array secrets: items: type: string type: array type: object jmesPath: type: string reference: type: string required: - reference type: object name: type: string variable: properties: default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string value: x-kubernetes-preserve-unknown-fields: true type: object required: - name type: object type: array foreach: x-kubernetes-preserve-unknown-fields: true list: type: string order: enum: - Ascending - Descending type: string patchStrategicMerge: x-kubernetes-preserve-unknown-fields: true patchesJson6902: type: string preconditions: properties: all: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array any: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array type: object x-kubernetes-preserve-unknown-fields: true type: object type: array mutateExistingOnPolicyUpdate: type: boolean patchStrategicMerge: x-kubernetes-preserve-unknown-fields: true patchesJson6902: type: string targets: items: properties: apiVersion: type: string context: items: oneOf: - required: - configMap - required: - apiCall - required: - imageRegistry - required: - variable - required: - globalReference properties: apiCall: properties: data: items: properties: key: type: string value: x-kubernetes-preserve-unknown-fields: true required: - key - value type: object type: array default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string method: default: GET enum: - GET - POST type: string service: properties: caBundle: type: string headers: items: properties: key: type: string value: type: string required: - key - value type: object type: array url: type: string required: - url type: object urlPath: type: string type: object configMap: properties: name: type: string namespace: type: string required: - name type: object globalReference: properties: jmesPath: type: string name: type: string required: - name type: object imageRegistry: properties: imageRegistryCredentials: properties: allowInsecureRegistry: type: boolean providers: items: enum: - default - amazon - azure - google - github type: string type: array secrets: items: type: string type: array type: object jmesPath: type: string reference: type: string required: - reference type: object name: type: string variable: properties: default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string value: x-kubernetes-preserve-unknown-fields: true type: object required: - name type: object type: array kind: type: string name: type: string namespace: type: string preconditions: x-kubernetes-preserve-unknown-fields: true selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic uid: type: string type: object type: array type: object name: maxLength: 63 type: string preconditions: x-kubernetes-preserve-unknown-fields: true reportProperties: additionalProperties: type: string type: object skipBackgroundRequests: default: true type: boolean validate: properties: allowExistingViolations: default: true type: boolean anyPattern: x-kubernetes-preserve-unknown-fields: true assert: type: object x-kubernetes-preserve-unknown-fields: true cel: properties: auditAnnotations: items: properties: key: type: string valueExpression: type: string required: - key - valueExpression type: object type: array expressions: items: properties: expression: type: string message: type: string messageExpression: type: string reason: type: string required: - expression type: object type: array generate: default: false type: boolean paramKind: properties: apiVersion: type: string kind: type: string type: object x-kubernetes-map-type: atomic paramRef: properties: name: type: string namespace: type: string parameterNotFoundAction: type: string selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: items: properties: expression: type: string name: type: string required: - expression - name type: object x-kubernetes-map-type: atomic type: array type: object deny: properties: conditions: x-kubernetes-preserve-unknown-fields: true type: object failureAction: enum: - Audit - Enforce type: string failureActionOverrides: items: properties: action: enum: - audit - enforce - Audit - Enforce type: string namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array type: object type: array foreach: items: properties: anyPattern: x-kubernetes-preserve-unknown-fields: true context: items: oneOf: - required: - configMap - required: - apiCall - required: - imageRegistry - required: - variable - required: - globalReference properties: apiCall: properties: data: items: properties: key: type: string value: x-kubernetes-preserve-unknown-fields: true required: - key - value type: object type: array default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string method: default: GET enum: - GET - POST type: string service: properties: caBundle: type: string headers: items: properties: key: type: string value: type: string required: - key - value type: object type: array url: type: string required: - url type: object urlPath: type: string type: object configMap: properties: name: type: string namespace: type: string required: - name type: object globalReference: properties: jmesPath: type: string name: type: string required: - name type: object imageRegistry: properties: imageRegistryCredentials: properties: allowInsecureRegistry: type: boolean providers: items: enum: - default - amazon - azure - google - github type: string type: array secrets: items: type: string type: array type: object jmesPath: type: string reference: type: string required: - reference type: object name: type: string variable: properties: default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string value: x-kubernetes-preserve-unknown-fields: true type: object required: - name type: object type: array deny: properties: conditions: x-kubernetes-preserve-unknown-fields: true type: object elementScope: type: boolean foreach: x-kubernetes-preserve-unknown-fields: true list: type: string pattern: x-kubernetes-preserve-unknown-fields: true preconditions: properties: all: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array any: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array type: object x-kubernetes-preserve-unknown-fields: true type: object type: array manifests: properties: annotationDomain: type: string attestors: items: properties: count: minimum: 1 type: integer entries: items: properties: annotations: additionalProperties: type: string type: object attestor: x-kubernetes-preserve-unknown-fields: true certificates: properties: cert: type: string certChain: type: string ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object type: object keyless: properties: additionalExtensions: additionalProperties: type: string type: object ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object issuer: type: string issuerRegExp: type: string rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object roots: type: string subject: type: string subjectRegExp: type: string type: object keys: properties: ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object kms: type: string publicKeys: type: string rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object secret: properties: name: type: string namespace: type: string required: - name - namespace type: object signatureAlgorithm: default: sha256 type: string type: object repository: type: string signatureAlgorithm: default: sha256 type: string type: object type: array type: object type: array dryRun: properties: enable: type: boolean namespace: type: string type: object ignoreFields: items: properties: fields: items: type: string type: array objects: items: properties: group: type: string kind: type: string name: type: string namespace: type: string version: type: string type: object type: array type: object type: array repository: type: string type: object message: type: string pattern: x-kubernetes-preserve-unknown-fields: true podSecurity: properties: exclude: items: properties: controlName: enum: - HostProcess - Host Namespaces - Privileged Containers - Capabilities - HostPath Volumes - Host Ports - AppArmor - SELinux - /proc Mount Type - Seccomp - Sysctls - Volume Types - Privilege Escalation - Running as Non-root - Running as Non-root user type: string images: items: type: string type: array restrictedField: type: string values: items: type: string type: array required: - controlName type: object type: array level: enum: - privileged - baseline - restricted type: string version: enum: - v1.19 - v1.20 - v1.21 - v1.22 - v1.23 - v1.24 - v1.25 - v1.26 - v1.27 - v1.28 - v1.29 - latest type: string type: object type: object verifyImages: items: properties: additionalExtensions: additionalProperties: type: string type: object annotations: additionalProperties: type: string type: object attestations: items: properties: attestors: items: properties: count: minimum: 1 type: integer entries: items: properties: annotations: additionalProperties: type: string type: object attestor: x-kubernetes-preserve-unknown-fields: true certificates: properties: cert: type: string certChain: type: string ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object type: object keyless: properties: additionalExtensions: additionalProperties: type: string type: object ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object issuer: type: string issuerRegExp: type: string rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object roots: type: string subject: type: string subjectRegExp: type: string type: object keys: properties: ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object kms: type: string publicKeys: type: string rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object secret: properties: name: type: string namespace: type: string required: - name - namespace type: object signatureAlgorithm: default: sha256 type: string type: object repository: type: string signatureAlgorithm: default: sha256 type: string type: object type: array type: object type: array conditions: items: properties: all: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array any: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array type: object type: array name: type: string predicateType: type: string type: type: string type: object type: array attestors: items: properties: count: minimum: 1 type: integer entries: items: properties: annotations: additionalProperties: type: string type: object attestor: x-kubernetes-preserve-unknown-fields: true certificates: properties: cert: type: string certChain: type: string ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object type: object keyless: properties: additionalExtensions: additionalProperties: type: string type: object ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object issuer: type: string issuerRegExp: type: string rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object roots: type: string subject: type: string subjectRegExp: type: string type: object keys: properties: ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object kms: type: string publicKeys: type: string rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object secret: properties: name: type: string namespace: type: string required: - name - namespace type: object signatureAlgorithm: default: sha256 type: string type: object repository: type: string signatureAlgorithm: default: sha256 type: string type: object type: array type: object type: array cosignOCI11: type: boolean failureAction: enum: - Audit - Enforce type: string image: type: string imageReferences: items: type: string type: array imageRegistryCredentials: properties: allowInsecureRegistry: type: boolean providers: items: enum: - default - amazon - azure - google - github type: string type: array secrets: items: type: string type: array type: object issuer: type: string key: type: string mutateDigest: default: true type: boolean repository: type: string required: default: true type: boolean roots: type: string skipImageReferences: items: type: string type: array subject: type: string type: enum: - Cosign - SigstoreBundle - Notary type: string useCache: default: true type: boolean validate: properties: deny: properties: conditions: x-kubernetes-preserve-unknown-fields: true type: object message: type: string type: object verifyDigest: default: true type: boolean type: object type: array required: - match - name type: object type: array schemaValidation: type: boolean useServerSideApply: type: boolean validationFailureAction: default: Audit enum: - audit - enforce - Audit - Enforce type: string validationFailureActionOverrides: items: properties: action: enum: - audit - enforce - Audit - Enforce type: string namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array type: object type: array webhookConfiguration: properties: failurePolicy: enum: - Ignore - Fail type: string matchConditions: items: properties: expression: type: string name: type: string required: - expression - name type: object type: array timeoutSeconds: format: int32 type: integer type: object webhookTimeoutSeconds: format: int32 type: integer type: object status: properties: autogen: properties: rules: items: properties: celPreconditions: items: properties: expression: type: string name: type: string required: - expression - name type: object type: array context: items: oneOf: - required: - configMap - required: - apiCall - required: - imageRegistry - required: - variable - required: - globalReference properties: apiCall: properties: data: items: properties: key: type: string value: x-kubernetes-preserve-unknown-fields: true required: - key - value type: object type: array default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string method: default: GET enum: - GET - POST type: string service: properties: caBundle: type: string headers: items: properties: key: type: string value: type: string required: - key - value type: object type: array url: type: string required: - url type: object urlPath: type: string type: object configMap: properties: name: type: string namespace: type: string required: - name type: object globalReference: properties: jmesPath: type: string name: type: string required: - name type: object imageRegistry: properties: imageRegistryCredentials: properties: allowInsecureRegistry: type: boolean providers: items: enum: - default - amazon - azure - google - github type: string type: array secrets: items: type: string type: array type: object jmesPath: type: string reference: type: string required: - reference type: object name: type: string variable: properties: default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string value: x-kubernetes-preserve-unknown-fields: true type: object required: - name type: object type: array exclude: not: required: - any - all properties: all: items: properties: clusterRoles: items: type: string type: array resources: not: required: - name - names properties: annotations: additionalProperties: type: string type: object kinds: items: type: string type: array name: type: string names: items: type: string type: array namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array operations: items: enum: - CREATE - CONNECT - UPDATE - DELETE type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object x-kubernetes-map-type: atomic type: array type: object type: array any: items: properties: clusterRoles: items: type: string type: array resources: not: required: - name - names properties: annotations: additionalProperties: type: string type: object kinds: items: type: string type: array name: type: string names: items: type: string type: array namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array operations: items: enum: - CREATE - CONNECT - UPDATE - DELETE type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object x-kubernetes-map-type: atomic type: array type: object type: array clusterRoles: items: type: string type: array resources: not: required: - name - names properties: annotations: additionalProperties: type: string type: object kinds: items: type: string type: array name: type: string names: items: type: string type: array namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array operations: items: enum: - CREATE - CONNECT - UPDATE - DELETE type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object x-kubernetes-map-type: atomic type: array type: object generate: properties: apiVersion: type: string clone: properties: name: type: string namespace: type: string type: object cloneList: properties: kinds: items: type: string type: array namespace: type: string selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object data: x-kubernetes-preserve-unknown-fields: true foreach: items: properties: apiVersion: type: string clone: properties: name: type: string namespace: type: string type: object cloneList: properties: kinds: items: type: string type: array namespace: type: string selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object context: items: oneOf: - required: - configMap - required: - apiCall - required: - imageRegistry - required: - variable - required: - globalReference properties: apiCall: properties: data: items: properties: key: type: string value: x-kubernetes-preserve-unknown-fields: true required: - key - value type: object type: array default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string method: default: GET enum: - GET - POST type: string service: properties: caBundle: type: string headers: items: properties: key: type: string value: type: string required: - key - value type: object type: array url: type: string required: - url type: object urlPath: type: string type: object configMap: properties: name: type: string namespace: type: string required: - name type: object globalReference: properties: jmesPath: type: string name: type: string required: - name type: object imageRegistry: properties: imageRegistryCredentials: properties: allowInsecureRegistry: type: boolean providers: items: enum: - default - amazon - azure - google - github type: string type: array secrets: items: type: string type: array type: object jmesPath: type: string reference: type: string required: - reference type: object name: type: string variable: properties: default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string value: x-kubernetes-preserve-unknown-fields: true type: object required: - name type: object type: array data: x-kubernetes-preserve-unknown-fields: true kind: type: string list: type: string name: type: string namespace: type: string preconditions: properties: all: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array any: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array type: object x-kubernetes-preserve-unknown-fields: true uid: type: string type: object type: array generateExisting: type: boolean kind: type: string name: type: string namespace: type: string orphanDownstreamOnPolicyDelete: type: boolean synchronize: type: boolean uid: type: string type: object imageExtractors: additionalProperties: items: properties: jmesPath: type: string key: type: string name: type: string path: type: string value: type: string required: - path type: object type: array type: object match: not: required: - any - all properties: all: items: properties: clusterRoles: items: type: string type: array resources: not: required: - name - names properties: annotations: additionalProperties: type: string type: object kinds: items: type: string type: array name: type: string names: items: type: string type: array namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array operations: items: enum: - CREATE - CONNECT - UPDATE - DELETE type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object x-kubernetes-map-type: atomic type: array type: object type: array any: items: properties: clusterRoles: items: type: string type: array resources: not: required: - name - names properties: annotations: additionalProperties: type: string type: object kinds: items: type: string type: array name: type: string names: items: type: string type: array namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array operations: items: enum: - CREATE - CONNECT - UPDATE - DELETE type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object x-kubernetes-map-type: atomic type: array type: object type: array clusterRoles: items: type: string type: array resources: not: required: - name - names properties: annotations: additionalProperties: type: string type: object kinds: items: type: string type: array name: type: string names: items: type: string type: array namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array operations: items: enum: - CREATE - CONNECT - UPDATE - DELETE type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object x-kubernetes-map-type: atomic type: array type: object mutate: properties: foreach: items: properties: context: items: oneOf: - required: - configMap - required: - apiCall - required: - imageRegistry - required: - variable - required: - globalReference properties: apiCall: properties: data: items: properties: key: type: string value: x-kubernetes-preserve-unknown-fields: true required: - key - value type: object type: array default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string method: default: GET enum: - GET - POST type: string service: properties: caBundle: type: string headers: items: properties: key: type: string value: type: string required: - key - value type: object type: array url: type: string required: - url type: object urlPath: type: string type: object configMap: properties: name: type: string namespace: type: string required: - name type: object globalReference: properties: jmesPath: type: string name: type: string required: - name type: object imageRegistry: properties: imageRegistryCredentials: properties: allowInsecureRegistry: type: boolean providers: items: enum: - default - amazon - azure - google - github type: string type: array secrets: items: type: string type: array type: object jmesPath: type: string reference: type: string required: - reference type: object name: type: string variable: properties: default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string value: x-kubernetes-preserve-unknown-fields: true type: object required: - name type: object type: array foreach: x-kubernetes-preserve-unknown-fields: true list: type: string order: enum: - Ascending - Descending type: string patchStrategicMerge: x-kubernetes-preserve-unknown-fields: true patchesJson6902: type: string preconditions: properties: all: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array any: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array type: object x-kubernetes-preserve-unknown-fields: true type: object type: array mutateExistingOnPolicyUpdate: type: boolean patchStrategicMerge: x-kubernetes-preserve-unknown-fields: true patchesJson6902: type: string targets: items: properties: apiVersion: type: string context: items: oneOf: - required: - configMap - required: - apiCall - required: - imageRegistry - required: - variable - required: - globalReference properties: apiCall: properties: data: items: properties: key: type: string value: x-kubernetes-preserve-unknown-fields: true required: - key - value type: object type: array default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string method: default: GET enum: - GET - POST type: string service: properties: caBundle: type: string headers: items: properties: key: type: string value: type: string required: - key - value type: object type: array url: type: string required: - url type: object urlPath: type: string type: object configMap: properties: name: type: string namespace: type: string required: - name type: object globalReference: properties: jmesPath: type: string name: type: string required: - name type: object imageRegistry: properties: imageRegistryCredentials: properties: allowInsecureRegistry: type: boolean providers: items: enum: - default - amazon - azure - google - github type: string type: array secrets: items: type: string type: array type: object jmesPath: type: string reference: type: string required: - reference type: object name: type: string variable: properties: default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string value: x-kubernetes-preserve-unknown-fields: true type: object required: - name type: object type: array kind: type: string name: type: string namespace: type: string preconditions: x-kubernetes-preserve-unknown-fields: true selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic uid: type: string type: object type: array type: object name: maxLength: 63 type: string preconditions: x-kubernetes-preserve-unknown-fields: true reportProperties: additionalProperties: type: string type: object skipBackgroundRequests: default: true type: boolean validate: properties: allowExistingViolations: default: true type: boolean anyPattern: x-kubernetes-preserve-unknown-fields: true assert: type: object x-kubernetes-preserve-unknown-fields: true cel: properties: auditAnnotations: items: properties: key: type: string valueExpression: type: string required: - key - valueExpression type: object type: array expressions: items: properties: expression: type: string message: type: string messageExpression: type: string reason: type: string required: - expression type: object type: array generate: default: false type: boolean paramKind: properties: apiVersion: type: string kind: type: string type: object x-kubernetes-map-type: atomic paramRef: properties: name: type: string namespace: type: string parameterNotFoundAction: type: string selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: items: properties: expression: type: string name: type: string required: - expression - name type: object x-kubernetes-map-type: atomic type: array type: object deny: properties: conditions: x-kubernetes-preserve-unknown-fields: true type: object failureAction: enum: - Audit - Enforce type: string failureActionOverrides: items: properties: action: enum: - audit - enforce - Audit - Enforce type: string namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array type: object type: array foreach: items: properties: anyPattern: x-kubernetes-preserve-unknown-fields: true context: items: oneOf: - required: - configMap - required: - apiCall - required: - imageRegistry - required: - variable - required: - globalReference properties: apiCall: properties: data: items: properties: key: type: string value: x-kubernetes-preserve-unknown-fields: true required: - key - value type: object type: array default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string method: default: GET enum: - GET - POST type: string service: properties: caBundle: type: string headers: items: properties: key: type: string value: type: string required: - key - value type: object type: array url: type: string required: - url type: object urlPath: type: string type: object configMap: properties: name: type: string namespace: type: string required: - name type: object globalReference: properties: jmesPath: type: string name: type: string required: - name type: object imageRegistry: properties: imageRegistryCredentials: properties: allowInsecureRegistry: type: boolean providers: items: enum: - default - amazon - azure - google - github type: string type: array secrets: items: type: string type: array type: object jmesPath: type: string reference: type: string required: - reference type: object name: type: string variable: properties: default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string value: x-kubernetes-preserve-unknown-fields: true type: object required: - name type: object type: array deny: properties: conditions: x-kubernetes-preserve-unknown-fields: true type: object elementScope: type: boolean foreach: x-kubernetes-preserve-unknown-fields: true list: type: string pattern: x-kubernetes-preserve-unknown-fields: true preconditions: properties: all: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array any: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array type: object x-kubernetes-preserve-unknown-fields: true type: object type: array manifests: properties: annotationDomain: type: string attestors: items: properties: count: minimum: 1 type: integer entries: items: properties: annotations: additionalProperties: type: string type: object attestor: x-kubernetes-preserve-unknown-fields: true certificates: properties: cert: type: string certChain: type: string ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object type: object keyless: properties: additionalExtensions: additionalProperties: type: string type: object ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object issuer: type: string issuerRegExp: type: string rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object roots: type: string subject: type: string subjectRegExp: type: string type: object keys: properties: ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object kms: type: string publicKeys: type: string rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object secret: properties: name: type: string namespace: type: string required: - name - namespace type: object signatureAlgorithm: default: sha256 type: string type: object repository: type: string signatureAlgorithm: default: sha256 type: string type: object type: array type: object type: array dryRun: properties: enable: type: boolean namespace: type: string type: object ignoreFields: items: properties: fields: items: type: string type: array objects: items: properties: group: type: string kind: type: string name: type: string namespace: type: string version: type: string type: object type: array type: object type: array repository: type: string type: object message: type: string pattern: x-kubernetes-preserve-unknown-fields: true podSecurity: properties: exclude: items: properties: controlName: enum: - HostProcess - Host Namespaces - Privileged Containers - Capabilities - HostPath Volumes - Host Ports - AppArmor - SELinux - /proc Mount Type - Seccomp - Sysctls - Volume Types - Privilege Escalation - Running as Non-root - Running as Non-root user type: string images: items: type: string type: array restrictedField: type: string values: items: type: string type: array required: - controlName type: object type: array level: enum: - privileged - baseline - restricted type: string version: enum: - v1.19 - v1.20 - v1.21 - v1.22 - v1.23 - v1.24 - v1.25 - v1.26 - v1.27 - v1.28 - v1.29 - latest type: string type: object type: object verifyImages: items: properties: additionalExtensions: additionalProperties: type: string type: object annotations: additionalProperties: type: string type: object attestations: items: properties: attestors: items: properties: count: minimum: 1 type: integer entries: items: properties: annotations: additionalProperties: type: string type: object attestor: x-kubernetes-preserve-unknown-fields: true certificates: properties: cert: type: string certChain: type: string ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object type: object keyless: properties: additionalExtensions: additionalProperties: type: string type: object ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object issuer: type: string issuerRegExp: type: string rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object roots: type: string subject: type: string subjectRegExp: type: string type: object keys: properties: ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object kms: type: string publicKeys: type: string rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object secret: properties: name: type: string namespace: type: string required: - name - namespace type: object signatureAlgorithm: default: sha256 type: string type: object repository: type: string signatureAlgorithm: default: sha256 type: string type: object type: array type: object type: array conditions: items: properties: all: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array any: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array type: object type: array name: type: string predicateType: type: string type: type: string type: object type: array attestors: items: properties: count: minimum: 1 type: integer entries: items: properties: annotations: additionalProperties: type: string type: object attestor: x-kubernetes-preserve-unknown-fields: true certificates: properties: cert: type: string certChain: type: string ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object type: object keyless: properties: additionalExtensions: additionalProperties: type: string type: object ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object issuer: type: string issuerRegExp: type: string rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object roots: type: string subject: type: string subjectRegExp: type: string type: object keys: properties: ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object kms: type: string publicKeys: type: string rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object secret: properties: name: type: string namespace: type: string required: - name - namespace type: object signatureAlgorithm: default: sha256 type: string type: object repository: type: string signatureAlgorithm: default: sha256 type: string type: object type: array type: object type: array cosignOCI11: type: boolean failureAction: enum: - Audit - Enforce type: string image: type: string imageReferences: items: type: string type: array imageRegistryCredentials: properties: allowInsecureRegistry: type: boolean providers: items: enum: - default - amazon - azure - google - github type: string type: array secrets: items: type: string type: array type: object issuer: type: string key: type: string mutateDigest: default: true type: boolean repository: type: string required: default: true type: boolean roots: type: string skipImageReferences: items: type: string type: array subject: type: string type: enum: - Cosign - SigstoreBundle - Notary type: string useCache: default: true type: boolean validate: properties: deny: properties: conditions: x-kubernetes-preserve-unknown-fields: true type: object message: type: string type: object verifyDigest: default: true type: boolean type: object type: array required: - match - name type: object type: array type: object conditions: items: properties: lastTransitionTime: format: date-time type: string message: maxLength: 32768 type: string observedGeneration: format: int64 minimum: 0 type: integer reason: maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: enum: - "True" - "False" - Unknown type: string type: maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - message - reason - status - type type: object type: array ready: type: boolean rulecount: properties: generate: type: integer mutate: type: integer validate: type: integer verifyimages: type: integer required: - generate - mutate - validate - verifyimages type: object validatingadmissionpolicy: properties: generated: type: boolean message: type: string required: - generated - message type: object type: object required: - spec type: object served: true storage: true subresources: status: {} - additionalPrinterColumns: - jsonPath: .spec.admission name: ADMISSION type: boolean - jsonPath: .spec.background name: BACKGROUND type: boolean - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string - jsonPath: .metadata.creationTimestamp name: AGE type: date - jsonPath: .spec.failurePolicy name: FAILURE POLICY priority: 1 type: string - jsonPath: .status.rulecount.validate name: VALIDATE priority: 1 type: integer - jsonPath: .status.rulecount.mutate name: MUTATE priority: 1 type: integer - jsonPath: .status.rulecount.generate name: GENERATE priority: 1 type: integer - jsonPath: .status.rulecount.verifyimages name: VERIFY IMAGES priority: 1 type: integer - jsonPath: .status.conditions[?(@.type == "Ready")].message name: MESSAGE type: string name: v2beta1 schema: openAPIV3Schema: properties: apiVersion: type: string kind: type: string metadata: type: object spec: properties: admission: default: true type: boolean applyRules: enum: - All - One type: string background: default: true type: boolean emitWarning: default: false type: boolean failurePolicy: enum: - Ignore - Fail type: string generateExisting: type: boolean generateExistingOnPolicyUpdate: type: boolean mutateExistingOnPolicyUpdate: type: boolean rules: items: properties: celPreconditions: items: properties: expression: type: string name: type: string required: - expression - name type: object type: array context: items: oneOf: - required: - configMap - required: - apiCall - required: - imageRegistry - required: - variable - required: - globalReference properties: apiCall: properties: data: items: properties: key: type: string value: x-kubernetes-preserve-unknown-fields: true required: - key - value type: object type: array default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string method: default: GET enum: - GET - POST type: string service: properties: caBundle: type: string headers: items: properties: key: type: string value: type: string required: - key - value type: object type: array url: type: string required: - url type: object urlPath: type: string type: object configMap: properties: name: type: string namespace: type: string required: - name type: object globalReference: properties: jmesPath: type: string name: type: string required: - name type: object imageRegistry: properties: imageRegistryCredentials: properties: allowInsecureRegistry: type: boolean providers: items: enum: - default - amazon - azure - google - github type: string type: array secrets: items: type: string type: array type: object jmesPath: type: string reference: type: string required: - reference type: object name: type: string variable: properties: default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string value: x-kubernetes-preserve-unknown-fields: true type: object required: - name type: object type: array exclude: not: required: - any - all properties: all: items: properties: clusterRoles: items: type: string type: array resources: not: required: - name - names properties: annotations: additionalProperties: type: string type: object kinds: items: type: string type: array name: type: string names: items: type: string type: array namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array operations: items: enum: - CREATE - CONNECT - UPDATE - DELETE type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object x-kubernetes-map-type: atomic type: array type: object type: array any: items: properties: clusterRoles: items: type: string type: array resources: not: required: - name - names properties: annotations: additionalProperties: type: string type: object kinds: items: type: string type: array name: type: string names: items: type: string type: array namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array operations: items: enum: - CREATE - CONNECT - UPDATE - DELETE type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object x-kubernetes-map-type: atomic type: array type: object type: array type: object generate: properties: apiVersion: type: string clone: properties: name: type: string namespace: type: string type: object cloneList: properties: kinds: items: type: string type: array namespace: type: string selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object data: x-kubernetes-preserve-unknown-fields: true foreach: items: properties: apiVersion: type: string clone: properties: name: type: string namespace: type: string type: object cloneList: properties: kinds: items: type: string type: array namespace: type: string selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object context: items: oneOf: - required: - configMap - required: - apiCall - required: - imageRegistry - required: - variable - required: - globalReference properties: apiCall: properties: data: items: properties: key: type: string value: x-kubernetes-preserve-unknown-fields: true required: - key - value type: object type: array default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string method: default: GET enum: - GET - POST type: string service: properties: caBundle: type: string headers: items: properties: key: type: string value: type: string required: - key - value type: object type: array url: type: string required: - url type: object urlPath: type: string type: object configMap: properties: name: type: string namespace: type: string required: - name type: object globalReference: properties: jmesPath: type: string name: type: string required: - name type: object imageRegistry: properties: imageRegistryCredentials: properties: allowInsecureRegistry: type: boolean providers: items: enum: - default - amazon - azure - google - github type: string type: array secrets: items: type: string type: array type: object jmesPath: type: string reference: type: string required: - reference type: object name: type: string variable: properties: default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string value: x-kubernetes-preserve-unknown-fields: true type: object required: - name type: object type: array data: x-kubernetes-preserve-unknown-fields: true kind: type: string list: type: string name: type: string namespace: type: string preconditions: properties: all: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array any: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array type: object x-kubernetes-preserve-unknown-fields: true uid: type: string type: object type: array generateExisting: type: boolean kind: type: string name: type: string namespace: type: string orphanDownstreamOnPolicyDelete: type: boolean synchronize: type: boolean uid: type: string type: object imageExtractors: additionalProperties: items: properties: jmesPath: type: string key: type: string name: type: string path: type: string value: type: string required: - path type: object type: array type: object match: not: required: - any - all properties: all: items: properties: clusterRoles: items: type: string type: array resources: not: required: - name - names properties: annotations: additionalProperties: type: string type: object kinds: items: type: string type: array name: type: string names: items: type: string type: array namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array operations: items: enum: - CREATE - CONNECT - UPDATE - DELETE type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object x-kubernetes-map-type: atomic type: array type: object type: array any: items: properties: clusterRoles: items: type: string type: array resources: not: required: - name - names properties: annotations: additionalProperties: type: string type: object kinds: items: type: string type: array name: type: string names: items: type: string type: array namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array operations: items: enum: - CREATE - CONNECT - UPDATE - DELETE type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object x-kubernetes-map-type: atomic type: array type: object type: array type: object mutate: properties: foreach: items: properties: context: items: oneOf: - required: - configMap - required: - apiCall - required: - imageRegistry - required: - variable - required: - globalReference properties: apiCall: properties: data: items: properties: key: type: string value: x-kubernetes-preserve-unknown-fields: true required: - key - value type: object type: array default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string method: default: GET enum: - GET - POST type: string service: properties: caBundle: type: string headers: items: properties: key: type: string value: type: string required: - key - value type: object type: array url: type: string required: - url type: object urlPath: type: string type: object configMap: properties: name: type: string namespace: type: string required: - name type: object globalReference: properties: jmesPath: type: string name: type: string required: - name type: object imageRegistry: properties: imageRegistryCredentials: properties: allowInsecureRegistry: type: boolean providers: items: enum: - default - amazon - azure - google - github type: string type: array secrets: items: type: string type: array type: object jmesPath: type: string reference: type: string required: - reference type: object name: type: string variable: properties: default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string value: x-kubernetes-preserve-unknown-fields: true type: object required: - name type: object type: array foreach: x-kubernetes-preserve-unknown-fields: true list: type: string order: enum: - Ascending - Descending type: string patchStrategicMerge: x-kubernetes-preserve-unknown-fields: true patchesJson6902: type: string preconditions: properties: all: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array any: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array type: object x-kubernetes-preserve-unknown-fields: true type: object type: array mutateExistingOnPolicyUpdate: type: boolean patchStrategicMerge: x-kubernetes-preserve-unknown-fields: true patchesJson6902: type: string targets: items: properties: apiVersion: type: string context: items: oneOf: - required: - configMap - required: - apiCall - required: - imageRegistry - required: - variable - required: - globalReference properties: apiCall: properties: data: items: properties: key: type: string value: x-kubernetes-preserve-unknown-fields: true required: - key - value type: object type: array default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string method: default: GET enum: - GET - POST type: string service: properties: caBundle: type: string headers: items: properties: key: type: string value: type: string required: - key - value type: object type: array url: type: string required: - url type: object urlPath: type: string type: object configMap: properties: name: type: string namespace: type: string required: - name type: object globalReference: properties: jmesPath: type: string name: type: string required: - name type: object imageRegistry: properties: imageRegistryCredentials: properties: allowInsecureRegistry: type: boolean providers: items: enum: - default - amazon - azure - google - github type: string type: array secrets: items: type: string type: array type: object jmesPath: type: string reference: type: string required: - reference type: object name: type: string variable: properties: default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string value: x-kubernetes-preserve-unknown-fields: true type: object required: - name type: object type: array kind: type: string name: type: string namespace: type: string preconditions: x-kubernetes-preserve-unknown-fields: true selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic uid: type: string type: object type: array type: object name: maxLength: 63 type: string preconditions: properties: all: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - AnyIn - AllIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array any: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - AnyIn - AllIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array type: object skipBackgroundRequests: default: true type: boolean validate: properties: anyPattern: x-kubernetes-preserve-unknown-fields: true assert: type: object x-kubernetes-preserve-unknown-fields: true cel: properties: auditAnnotations: items: properties: key: type: string valueExpression: type: string required: - key - valueExpression type: object type: array expressions: items: properties: expression: type: string message: type: string messageExpression: type: string reason: type: string required: - expression type: object type: array generate: default: false type: boolean paramKind: properties: apiVersion: type: string kind: type: string type: object x-kubernetes-map-type: atomic paramRef: properties: name: type: string namespace: type: string parameterNotFoundAction: type: string selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: items: properties: expression: type: string name: type: string required: - expression - name type: object x-kubernetes-map-type: atomic type: array type: object deny: properties: conditions: properties: all: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - AnyIn - AllIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array any: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - AnyIn - AllIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array type: object type: object failureAction: enum: - Audit - Enforce type: string failureActionOverrides: items: properties: action: enum: - audit - enforce - Audit - Enforce type: string namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array type: object type: array foreach: items: properties: anyPattern: x-kubernetes-preserve-unknown-fields: true context: items: oneOf: - required: - configMap - required: - apiCall - required: - imageRegistry - required: - variable - required: - globalReference properties: apiCall: properties: data: items: properties: key: type: string value: x-kubernetes-preserve-unknown-fields: true required: - key - value type: object type: array default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string method: default: GET enum: - GET - POST type: string service: properties: caBundle: type: string headers: items: properties: key: type: string value: type: string required: - key - value type: object type: array url: type: string required: - url type: object urlPath: type: string type: object configMap: properties: name: type: string namespace: type: string required: - name type: object globalReference: properties: jmesPath: type: string name: type: string required: - name type: object imageRegistry: properties: imageRegistryCredentials: properties: allowInsecureRegistry: type: boolean providers: items: enum: - default - amazon - azure - google - github type: string type: array secrets: items: type: string type: array type: object jmesPath: type: string reference: type: string required: - reference type: object name: type: string variable: properties: default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string value: x-kubernetes-preserve-unknown-fields: true type: object required: - name type: object type: array deny: properties: conditions: x-kubernetes-preserve-unknown-fields: true type: object elementScope: type: boolean foreach: x-kubernetes-preserve-unknown-fields: true list: type: string pattern: x-kubernetes-preserve-unknown-fields: true preconditions: properties: all: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array any: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array type: object x-kubernetes-preserve-unknown-fields: true type: object type: array manifests: properties: annotationDomain: type: string attestors: items: properties: count: minimum: 1 type: integer entries: items: properties: annotations: additionalProperties: type: string type: object attestor: x-kubernetes-preserve-unknown-fields: true certificates: properties: cert: type: string certChain: type: string ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object type: object keyless: properties: additionalExtensions: additionalProperties: type: string type: object ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object issuer: type: string issuerRegExp: type: string rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object roots: type: string subject: type: string subjectRegExp: type: string type: object keys: properties: ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object kms: type: string publicKeys: type: string rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object secret: properties: name: type: string namespace: type: string required: - name - namespace type: object signatureAlgorithm: default: sha256 type: string type: object repository: type: string signatureAlgorithm: default: sha256 type: string type: object type: array type: object type: array dryRun: properties: enable: type: boolean namespace: type: string type: object ignoreFields: items: properties: fields: items: type: string type: array objects: items: properties: group: type: string kind: type: string name: type: string namespace: type: string version: type: string type: object type: array type: object type: array repository: type: string type: object message: type: string pattern: x-kubernetes-preserve-unknown-fields: true podSecurity: properties: exclude: items: properties: controlName: enum: - HostProcess - Host Namespaces - Privileged Containers - Capabilities - HostPath Volumes - Host Ports - AppArmor - SELinux - /proc Mount Type - Seccomp - Sysctls - Volume Types - Privilege Escalation - Running as Non-root - Running as Non-root user type: string images: items: type: string type: array restrictedField: type: string values: items: type: string type: array required: - controlName type: object type: array level: enum: - privileged - baseline - restricted type: string version: enum: - v1.19 - v1.20 - v1.21 - v1.22 - v1.23 - v1.24 - v1.25 - v1.26 - v1.27 - v1.28 - v1.29 - latest type: string type: object type: object verifyImages: items: properties: attestations: items: properties: attestors: items: properties: count: minimum: 1 type: integer entries: items: properties: annotations: additionalProperties: type: string type: object attestor: x-kubernetes-preserve-unknown-fields: true certificates: properties: cert: type: string certChain: type: string ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object type: object keyless: properties: additionalExtensions: additionalProperties: type: string type: object ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object issuer: type: string issuerRegExp: type: string rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object roots: type: string subject: type: string subjectRegExp: type: string type: object keys: properties: ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object kms: type: string publicKeys: type: string rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object secret: properties: name: type: string namespace: type: string required: - name - namespace type: object signatureAlgorithm: default: sha256 type: string type: object repository: type: string signatureAlgorithm: default: sha256 type: string type: object type: array type: object type: array conditions: items: properties: all: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array any: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array type: object type: array name: type: string predicateType: type: string type: type: string type: object type: array attestors: items: properties: count: minimum: 1 type: integer entries: items: properties: annotations: additionalProperties: type: string type: object attestor: x-kubernetes-preserve-unknown-fields: true certificates: properties: cert: type: string certChain: type: string ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object type: object keyless: properties: additionalExtensions: additionalProperties: type: string type: object ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object issuer: type: string issuerRegExp: type: string rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object roots: type: string subject: type: string subjectRegExp: type: string type: object keys: properties: ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object kms: type: string publicKeys: type: string rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object secret: properties: name: type: string namespace: type: string required: - name - namespace type: object signatureAlgorithm: default: sha256 type: string type: object repository: type: string signatureAlgorithm: default: sha256 type: string type: object type: array type: object type: array failureAction: enum: - Audit - Enforce type: string imageReferences: items: type: string type: array imageRegistryCredentials: properties: allowInsecureRegistry: type: boolean providers: items: enum: - default - amazon - azure - google - github type: string type: array secrets: items: type: string type: array type: object mutateDigest: default: true type: boolean repository: type: string required: default: true type: boolean skipImageReferences: items: type: string type: array type: enum: - Cosign - SigstoreBundle - Notary type: string useCache: default: true type: boolean validate: properties: deny: properties: conditions: x-kubernetes-preserve-unknown-fields: true type: object message: type: string type: object verifyDigest: default: true type: boolean type: object type: array required: - match - name type: object type: array schemaValidation: type: boolean useServerSideApply: type: boolean validationFailureAction: default: Audit enum: - audit - enforce - Audit - Enforce type: string validationFailureActionOverrides: items: properties: action: enum: - audit - enforce - Audit - Enforce type: string namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array type: object type: array webhookConfiguration: properties: failurePolicy: enum: - Ignore - Fail type: string matchConditions: items: properties: expression: type: string name: type: string required: - expression - name type: object type: array timeoutSeconds: format: int32 type: integer type: object webhookTimeoutSeconds: format: int32 type: integer type: object status: properties: autogen: properties: rules: items: properties: celPreconditions: items: properties: expression: type: string name: type: string required: - expression - name type: object type: array context: items: oneOf: - required: - configMap - required: - apiCall - required: - imageRegistry - required: - variable - required: - globalReference properties: apiCall: properties: data: items: properties: key: type: string value: x-kubernetes-preserve-unknown-fields: true required: - key - value type: object type: array default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string method: default: GET enum: - GET - POST type: string service: properties: caBundle: type: string headers: items: properties: key: type: string value: type: string required: - key - value type: object type: array url: type: string required: - url type: object urlPath: type: string type: object configMap: properties: name: type: string namespace: type: string required: - name type: object globalReference: properties: jmesPath: type: string name: type: string required: - name type: object imageRegistry: properties: imageRegistryCredentials: properties: allowInsecureRegistry: type: boolean providers: items: enum: - default - amazon - azure - google - github type: string type: array secrets: items: type: string type: array type: object jmesPath: type: string reference: type: string required: - reference type: object name: type: string variable: properties: default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string value: x-kubernetes-preserve-unknown-fields: true type: object required: - name type: object type: array exclude: not: required: - any - all properties: all: items: properties: clusterRoles: items: type: string type: array resources: not: required: - name - names properties: annotations: additionalProperties: type: string type: object kinds: items: type: string type: array name: type: string names: items: type: string type: array namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array operations: items: enum: - CREATE - CONNECT - UPDATE - DELETE type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object x-kubernetes-map-type: atomic type: array type: object type: array any: items: properties: clusterRoles: items: type: string type: array resources: not: required: - name - names properties: annotations: additionalProperties: type: string type: object kinds: items: type: string type: array name: type: string names: items: type: string type: array namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array operations: items: enum: - CREATE - CONNECT - UPDATE - DELETE type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object x-kubernetes-map-type: atomic type: array type: object type: array clusterRoles: items: type: string type: array resources: not: required: - name - names properties: annotations: additionalProperties: type: string type: object kinds: items: type: string type: array name: type: string names: items: type: string type: array namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array operations: items: enum: - CREATE - CONNECT - UPDATE - DELETE type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object x-kubernetes-map-type: atomic type: array type: object generate: properties: apiVersion: type: string clone: properties: name: type: string namespace: type: string type: object cloneList: properties: kinds: items: type: string type: array namespace: type: string selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object data: x-kubernetes-preserve-unknown-fields: true foreach: items: properties: apiVersion: type: string clone: properties: name: type: string namespace: type: string type: object cloneList: properties: kinds: items: type: string type: array namespace: type: string selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object context: items: oneOf: - required: - configMap - required: - apiCall - required: - imageRegistry - required: - variable - required: - globalReference properties: apiCall: properties: data: items: properties: key: type: string value: x-kubernetes-preserve-unknown-fields: true required: - key - value type: object type: array default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string method: default: GET enum: - GET - POST type: string service: properties: caBundle: type: string headers: items: properties: key: type: string value: type: string required: - key - value type: object type: array url: type: string required: - url type: object urlPath: type: string type: object configMap: properties: name: type: string namespace: type: string required: - name type: object globalReference: properties: jmesPath: type: string name: type: string required: - name type: object imageRegistry: properties: imageRegistryCredentials: properties: allowInsecureRegistry: type: boolean providers: items: enum: - default - amazon - azure - google - github type: string type: array secrets: items: type: string type: array type: object jmesPath: type: string reference: type: string required: - reference type: object name: type: string variable: properties: default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string value: x-kubernetes-preserve-unknown-fields: true type: object required: - name type: object type: array data: x-kubernetes-preserve-unknown-fields: true kind: type: string list: type: string name: type: string namespace: type: string preconditions: properties: all: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array any: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array type: object x-kubernetes-preserve-unknown-fields: true uid: type: string type: object type: array generateExisting: type: boolean kind: type: string name: type: string namespace: type: string orphanDownstreamOnPolicyDelete: type: boolean synchronize: type: boolean uid: type: string type: object imageExtractors: additionalProperties: items: properties: jmesPath: type: string key: type: string name: type: string path: type: string value: type: string required: - path type: object type: array type: object match: not: required: - any - all properties: all: items: properties: clusterRoles: items: type: string type: array resources: not: required: - name - names properties: annotations: additionalProperties: type: string type: object kinds: items: type: string type: array name: type: string names: items: type: string type: array namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array operations: items: enum: - CREATE - CONNECT - UPDATE - DELETE type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object x-kubernetes-map-type: atomic type: array type: object type: array any: items: properties: clusterRoles: items: type: string type: array resources: not: required: - name - names properties: annotations: additionalProperties: type: string type: object kinds: items: type: string type: array name: type: string names: items: type: string type: array namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array operations: items: enum: - CREATE - CONNECT - UPDATE - DELETE type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object x-kubernetes-map-type: atomic type: array type: object type: array clusterRoles: items: type: string type: array resources: not: required: - name - names properties: annotations: additionalProperties: type: string type: object kinds: items: type: string type: array name: type: string names: items: type: string type: array namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array operations: items: enum: - CREATE - CONNECT - UPDATE - DELETE type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object x-kubernetes-map-type: atomic type: array type: object mutate: properties: foreach: items: properties: context: items: oneOf: - required: - configMap - required: - apiCall - required: - imageRegistry - required: - variable - required: - globalReference properties: apiCall: properties: data: items: properties: key: type: string value: x-kubernetes-preserve-unknown-fields: true required: - key - value type: object type: array default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string method: default: GET enum: - GET - POST type: string service: properties: caBundle: type: string headers: items: properties: key: type: string value: type: string required: - key - value type: object type: array url: type: string required: - url type: object urlPath: type: string type: object configMap: properties: name: type: string namespace: type: string required: - name type: object globalReference: properties: jmesPath: type: string name: type: string required: - name type: object imageRegistry: properties: imageRegistryCredentials: properties: allowInsecureRegistry: type: boolean providers: items: enum: - default - amazon - azure - google - github type: string type: array secrets: items: type: string type: array type: object jmesPath: type: string reference: type: string required: - reference type: object name: type: string variable: properties: default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string value: x-kubernetes-preserve-unknown-fields: true type: object required: - name type: object type: array foreach: x-kubernetes-preserve-unknown-fields: true list: type: string order: enum: - Ascending - Descending type: string patchStrategicMerge: x-kubernetes-preserve-unknown-fields: true patchesJson6902: type: string preconditions: properties: all: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array any: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array type: object x-kubernetes-preserve-unknown-fields: true type: object type: array mutateExistingOnPolicyUpdate: type: boolean patchStrategicMerge: x-kubernetes-preserve-unknown-fields: true patchesJson6902: type: string targets: items: properties: apiVersion: type: string context: items: oneOf: - required: - configMap - required: - apiCall - required: - imageRegistry - required: - variable - required: - globalReference properties: apiCall: properties: data: items: properties: key: type: string value: x-kubernetes-preserve-unknown-fields: true required: - key - value type: object type: array default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string method: default: GET enum: - GET - POST type: string service: properties: caBundle: type: string headers: items: properties: key: type: string value: type: string required: - key - value type: object type: array url: type: string required: - url type: object urlPath: type: string type: object configMap: properties: name: type: string namespace: type: string required: - name type: object globalReference: properties: jmesPath: type: string name: type: string required: - name type: object imageRegistry: properties: imageRegistryCredentials: properties: allowInsecureRegistry: type: boolean providers: items: enum: - default - amazon - azure - google - github type: string type: array secrets: items: type: string type: array type: object jmesPath: type: string reference: type: string required: - reference type: object name: type: string variable: properties: default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string value: x-kubernetes-preserve-unknown-fields: true type: object required: - name type: object type: array kind: type: string name: type: string namespace: type: string preconditions: x-kubernetes-preserve-unknown-fields: true selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic uid: type: string type: object type: array type: object name: maxLength: 63 type: string preconditions: x-kubernetes-preserve-unknown-fields: true reportProperties: additionalProperties: type: string type: object skipBackgroundRequests: default: true type: boolean validate: properties: allowExistingViolations: default: true type: boolean anyPattern: x-kubernetes-preserve-unknown-fields: true assert: type: object x-kubernetes-preserve-unknown-fields: true cel: properties: auditAnnotations: items: properties: key: type: string valueExpression: type: string required: - key - valueExpression type: object type: array expressions: items: properties: expression: type: string message: type: string messageExpression: type: string reason: type: string required: - expression type: object type: array generate: default: false type: boolean paramKind: properties: apiVersion: type: string kind: type: string type: object x-kubernetes-map-type: atomic paramRef: properties: name: type: string namespace: type: string parameterNotFoundAction: type: string selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: items: properties: expression: type: string name: type: string required: - expression - name type: object x-kubernetes-map-type: atomic type: array type: object deny: properties: conditions: x-kubernetes-preserve-unknown-fields: true type: object failureAction: enum: - Audit - Enforce type: string failureActionOverrides: items: properties: action: enum: - audit - enforce - Audit - Enforce type: string namespaceSelector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic namespaces: items: type: string type: array type: object type: array foreach: items: properties: anyPattern: x-kubernetes-preserve-unknown-fields: true context: items: oneOf: - required: - configMap - required: - apiCall - required: - imageRegistry - required: - variable - required: - globalReference properties: apiCall: properties: data: items: properties: key: type: string value: x-kubernetes-preserve-unknown-fields: true required: - key - value type: object type: array default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string method: default: GET enum: - GET - POST type: string service: properties: caBundle: type: string headers: items: properties: key: type: string value: type: string required: - key - value type: object type: array url: type: string required: - url type: object urlPath: type: string type: object configMap: properties: name: type: string namespace: type: string required: - name type: object globalReference: properties: jmesPath: type: string name: type: string required: - name type: object imageRegistry: properties: imageRegistryCredentials: properties: allowInsecureRegistry: type: boolean providers: items: enum: - default - amazon - azure - google - github type: string type: array secrets: items: type: string type: array type: object jmesPath: type: string reference: type: string required: - reference type: object name: type: string variable: properties: default: x-kubernetes-preserve-unknown-fields: true jmesPath: type: string value: x-kubernetes-preserve-unknown-fields: true type: object required: - name type: object type: array deny: properties: conditions: x-kubernetes-preserve-unknown-fields: true type: object elementScope: type: boolean foreach: x-kubernetes-preserve-unknown-fields: true list: type: string pattern: x-kubernetes-preserve-unknown-fields: true preconditions: properties: all: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array any: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array type: object x-kubernetes-preserve-unknown-fields: true type: object type: array manifests: properties: annotationDomain: type: string attestors: items: properties: count: minimum: 1 type: integer entries: items: properties: annotations: additionalProperties: type: string type: object attestor: x-kubernetes-preserve-unknown-fields: true certificates: properties: cert: type: string certChain: type: string ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object type: object keyless: properties: additionalExtensions: additionalProperties: type: string type: object ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object issuer: type: string issuerRegExp: type: string rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object roots: type: string subject: type: string subjectRegExp: type: string type: object keys: properties: ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object kms: type: string publicKeys: type: string rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object secret: properties: name: type: string namespace: type: string required: - name - namespace type: object signatureAlgorithm: default: sha256 type: string type: object repository: type: string signatureAlgorithm: default: sha256 type: string type: object type: array type: object type: array dryRun: properties: enable: type: boolean namespace: type: string type: object ignoreFields: items: properties: fields: items: type: string type: array objects: items: properties: group: type: string kind: type: string name: type: string namespace: type: string version: type: string type: object type: array type: object type: array repository: type: string type: object message: type: string pattern: x-kubernetes-preserve-unknown-fields: true podSecurity: properties: exclude: items: properties: controlName: enum: - HostProcess - Host Namespaces - Privileged Containers - Capabilities - HostPath Volumes - Host Ports - AppArmor - SELinux - /proc Mount Type - Seccomp - Sysctls - Volume Types - Privilege Escalation - Running as Non-root - Running as Non-root user type: string images: items: type: string type: array restrictedField: type: string values: items: type: string type: array required: - controlName type: object type: array level: enum: - privileged - baseline - restricted type: string version: enum: - v1.19 - v1.20 - v1.21 - v1.22 - v1.23 - v1.24 - v1.25 - v1.26 - v1.27 - v1.28 - v1.29 - latest type: string type: object type: object verifyImages: items: properties: additionalExtensions: additionalProperties: type: string type: object annotations: additionalProperties: type: string type: object attestations: items: properties: attestors: items: properties: count: minimum: 1 type: integer entries: items: properties: annotations: additionalProperties: type: string type: object attestor: x-kubernetes-preserve-unknown-fields: true certificates: properties: cert: type: string certChain: type: string ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object type: object keyless: properties: additionalExtensions: additionalProperties: type: string type: object ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object issuer: type: string issuerRegExp: type: string rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object roots: type: string subject: type: string subjectRegExp: type: string type: object keys: properties: ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object kms: type: string publicKeys: type: string rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object secret: properties: name: type: string namespace: type: string required: - name - namespace type: object signatureAlgorithm: default: sha256 type: string type: object repository: type: string signatureAlgorithm: default: sha256 type: string type: object type: array type: object type: array conditions: items: properties: all: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array any: items: properties: key: x-kubernetes-preserve-unknown-fields: true message: type: string operator: enum: - Equals - NotEquals - In - AnyIn - AllIn - NotIn - AnyNotIn - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals - LessThan - DurationGreaterThanOrEquals - DurationGreaterThan - DurationLessThanOrEquals - DurationLessThan type: string value: x-kubernetes-preserve-unknown-fields: true type: object type: array type: object type: array name: type: string predicateType: type: string type: type: string type: object type: array attestors: items: properties: count: minimum: 1 type: integer entries: items: properties: annotations: additionalProperties: type: string type: object attestor: x-kubernetes-preserve-unknown-fields: true certificates: properties: cert: type: string certChain: type: string ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object type: object keyless: properties: additionalExtensions: additionalProperties: type: string type: object ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object issuer: type: string issuerRegExp: type: string rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object roots: type: string subject: type: string subjectRegExp: type: string type: object keys: properties: ctlog: properties: ignoreSCT: type: boolean pubkey: type: string tsaCertChain: type: string type: object kms: type: string publicKeys: type: string rekor: properties: ignoreTlog: type: boolean pubkey: type: string url: type: string type: object secret: properties: name: type: string namespace: type: string required: - name - namespace type: object signatureAlgorithm: default: sha256 type: string type: object repository: type: string signatureAlgorithm: default: sha256 type: string type: object type: array type: object type: array cosignOCI11: type: boolean failureAction: enum: - Audit - Enforce type: string image: type: string imageReferences: items: type: string type: array imageRegistryCredentials: properties: allowInsecureRegistry: type: boolean providers: items: enum: - default - amazon - azure - google - github type: string type: array secrets: items: type: string type: array type: object issuer: type: string key: type: string mutateDigest: default: true type: boolean repository: type: string required: default: true type: boolean roots: type: string skipImageReferences: items: type: string type: array subject: type: string type: enum: - Cosign - SigstoreBundle - Notary type: string useCache: default: true type: boolean validate: properties: deny: properties: conditions: x-kubernetes-preserve-unknown-fields: true type: object message: type: string type: object verifyDigest: default: true type: boolean type: object type: array required: - match - name type: object type: array type: object conditions: items: properties: lastTransitionTime: format: date-time type: string message: maxLength: 32768 type: string observedGeneration: format: int64 minimum: 0 type: integer reason: maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: enum: - "True" - "False" - Unknown type: string type: maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - message - reason - status - type type: object type: array ready: type: boolean rulecount: properties: generate: type: integer mutate: type: integer validate: type: integer verifyimages: type: integer required: - generate - mutate - validate - verifyimages type: object validatingadmissionpolicy: properties: generated: type: boolean message: type: string required: - generated - message type: object type: object required: - spec type: object served: true storage: false subresources: status: {}