diff --git a/scripts/helmcharts/toolings/charts/kyverno/Chart.yaml b/scripts/helmcharts/toolings/charts/kyverno/Chart.yaml
index 20cab5225..ee5ec2684 100644
--- a/scripts/helmcharts/toolings/charts/kyverno/Chart.yaml
+++ b/scripts/helmcharts/toolings/charts/kyverno/Chart.yaml
@@ -1,16 +1,14 @@
 annotations:
   artifacthub.io/changes: |
-    - kind: changed
-      description: Syntax change for webhooksCleanup switch to match with the rest of the file
     - kind: fixed
-      description: Handle multiple extraArgs in init container
+      description: incorrect config map names
   artifacthub.io/links: |
     - name: Documentation
       url: https://kyverno.io/docs
   artifacthub.io/operator: "false"
   artifacthub.io/prerelease: "false"
 apiVersion: v2
-appVersion: v1.9.2
+appVersion: v1.10.0
 description: Kubernetes Native Policy Management
 home: https://kyverno.io/
 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
@@ -28,4 +26,4 @@ name: kyverno
 sources:
 - https://github.com/kyverno/kyverno
 type: application
-version: 2.7.2
+version: 3.0.1
diff --git a/scripts/helmcharts/toolings/charts/kyverno/README.md b/scripts/helmcharts/toolings/charts/kyverno/README.md
index 03750d44f..20907eea0 100644
--- a/scripts/helmcharts/toolings/charts/kyverno/README.md
+++ b/scripts/helmcharts/toolings/charts/kyverno/README.md
@@ -2,7 +2,7 @@
 
 Kubernetes Native Policy Management
 
-![Version: 2.7.2](https://img.shields.io/badge/Version-2.7.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.9.2](https://img.shields.io/badge/AppVersion-v1.9.2-informational?style=flat-square)
+![Version: 3.0.1](https://img.shields.io/badge/Version-3.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.10.0](https://img.shields.io/badge/AppVersion-v1.10.0-informational?style=flat-square)
 
 ## About
 
@@ -21,6 +21,10 @@ Access the complete user documentation and guides at: https://kyverno.io.
 
 ## Installing the Chart
 
+**IMPORTANT IMPORTANT IMPORTANT IMPORTANT**
+
+This chart changed significantly between `v2` and `v3`. If you are upgrading from `v2`, please read `Migrating from v2 to v3` section.
+
 **Add the Kyverno Helm repository:**
 
 ```console
@@ -105,6 +109,125 @@ spec:
       - Replace=true
 ```
 
+## Migrating from v2 to v3
+
+Direct upgrades from v2 of the Helm chart to v3 are not supported due to the number of breaking changes and manual intervention is required. Review and select an option after carefully reading below. Because either method requires down time, an upgrade should only be performed during a maintenance window. Regardless of the chosen option, please read all release notes very carefully to understand the full extent of changes brought by Kyverno 1.10. Release notes can be found at https://github.com/kyverno/kyverno/releases.
+
+### Option 1 - Uninstallation and Reinstallation
+
+The first option for upgrading, which is the recommended option, involves backing up Kyverno policy resources, uninstalling Kyverno, and reinstalling with v3 of the chart. Policy Reports for policies which have background mode enabled will be regenerated upon the next scan interval.
+
+**Pros**
+
+* Reduced complexity with minimal effort
+* Allows re-checking older policies against new validation webhooks in 1.10
+
+**Cons**
+
+* Policy Reports which contained results only from admission mode and from policies/rules where background scans were disabled will be lost.
+
+Follow the procedure below.
+
+1. READ THE COMPLETE RELEASE NOTES FIRST
+2. Backup and export all Kyverno policy resources to a YAML manifest. Use the command `kubectl get pol,cpol,cleanpol,ccleanpol,polex -A > kyvernobackup.yaml`.
+3. Uninstall your current version of Kyverno.
+4. Review the [New Chart Values](#new-chart-values) section and translate your desired features and configurations to the new format.
+5. Install the v3 chart with Kyverno 1.10.
+6. Restore your Kyverno policies. Use the command `kubectl create -f kyvernobackup.yaml`.
+
+### Option 2 - Scale to Zero
+
+In the second option, Kyverno policies do not have to be backed up however you perform more manual work in order to prepare for the upgrade to chart v3.
+
+**Pros**
+
+* Policy Reports which contained results from admission mode will be preserved
+* Kyverno policies do not need to be backed up first
+
+**Cons**
+
+* More manual effort is required
+* Older policies will not be revalidated for correctness according to the breaking schema changes. Some policies may not work as they did before.
+
+Follow the procedure below.
+
+1. READ THE COMPLETE RELEASE NOTES FIRST
+2. Scale the `kyverno` Deployment to zero replicas.
+3. If coming from 1.9 and you have install the cleanup controller, scale the `kyverno-cleanup-controller` Deployment to zero replicas.
+4. If step 3 applied to you, now delete the cleanup Deployment.
+5. Review the [New Chart Values](#new-chart-values) section and translate your desired features and configurations to the new format.
+6. Upgrade to the v3 chart by passing the mandatory flag `upgrade.fromV2=true`.
+
+### New Chart Values
+
+In `v3` chart values changed significantly, please read the instructions below to migrate your values:
+
+- `config.metricsConfig` is now `metricsConfig`
+- `resourceFiltersExcludeNamespaces` has been replaced with `config.resourceFiltersExcludeNamespaces`
+- `excludeKyvernoNamespace` has been replaced with `config.excludeKyvernoNamespace`
+- `config.existingConfig` has been replaced with `config.create` and `config.name` to __support bring your own config__
+- `config.existingMetricsConfig` has been replaced with `metricsConfig.create` and `metricsConfig.name` to __support bring your own config__
+- `namespace` has been renamed `namespaceOverride`
+- `installCRDs` has been replaced with `crds.install`
+- `testImage` has been replaced with `test.image`
+- `testResources` has been replaced with `test.resources`
+- `testSecurityContext` has been replaced with `test.securityContext`
+- `replicaCount` has been replaced with `admissionController.replicas`
+- `updateStrategy` has been replaced with `admissionController.updateStrategy`
+- `priorityClassName` has been replaced with `admissionController.priorityClassName`
+- `hostNetwork` has been replaced with `admissionController.hostNetwork`
+- `dnsPolicy` has been replaced with `admissionController.dnsPolicy`
+- `nodeSelector` has been replaced with `admissionController.nodeSelector`
+- `tolerations` has been replaced with `admissionController.tolerations`
+- `topologySpreadConstraints` has been replaced with `admissionController.topologySpreadConstraints`
+- `podDisruptionBudget` has been replaced with `admissionController.podDisruptionBudget`
+- `antiAffinity` has been replaced with `admissionController.antiAffinity`
+- `antiAffinity.enable` has been replaced with `admissionController.antiAffinity.enabled`
+- `podAntiAffinity` has been replaced with `admissionController.podAntiAffinity`
+- `podAffinity` has been replaced with `admissionController.podAffinity`
+- `nodeAffinity` has been replaced with `admissionController.nodeAffinity`
+- `startupProbe` has been replaced with `admissionController.startupProbe`
+- `livenessProbe` has been replaced with `admissionController.livenessProbe`
+- `readinessProbe` has been replaced with `admissionController.readinessProbe`
+- `createSelfSignedCert` has been replaced with `admissionController.createSelfSignedCert`
+- `serviceMonitor` has been replaced with `admissionController.serviceMonitor`
+- `podSecurityContext` has been replaced with `admissionController.podSecurityContext`
+- `tufRootMountPath` has been replaced with `admissionController.tufRootMountPath`
+- `sigstoreVolume` has been replaced with `admissionController.sigstoreVolume`
+- `initImage` has been replaced with `admissionController.initContainer.image`
+- `initResources` has been replaced with `admissionController.initContainer.resources`
+- `image` has been replaced with `admissionController.container.image`
+- `image.pullSecrets` has been replaced with `admissionController.imagePullSecrets`
+- `resources` has been replaced with `admissionController.container.resources`
+- `service` has been replaced with `admissionController.service`
+- `metricsService` has been replaced with `admissionController.metricsService`
+- `initContainer.extraArgs` has been replaced with `admissionController.initContainer.extraArgs`
+- `envVarsInit` has been replaced with `admissionController.initContainer.extraEnvVars`
+- `envVars` has been replaced with `admissionController.container.extraEnvVars`
+- `extraArgs` has been replaced with `admissionController.container.extraArgs`
+- `extraInitContainers` has been replaced with `admissionController.extraInitContainers`
+- `extraContainers` has been replaced with `admissionController.extraContainers`
+- `podLabels` has been replaced with `admissionController.podLabels`
+- `podAnnotations` has been replaced with `admissionController.podAnnotations`
+- `securityContext` has been replaced with `admissionController.container.securityContext` and `admissionController.initContainer.securityContext`
+- `rbac` has been replaced with `admissionController.rbac`
+- `generatecontrollerExtraResources` has been replaced with `admissionController.rbac.clusterRole.extraResources`
+- `networkPolicy` has been replaced with `admissionController.networkPolicy`
+- all `extraArgs` now use objects instead of arrays
+- logging, tracing and metering are now configured using `*Controller.logging`, `*Controller.tracing` and `*Controller.metering`
+
+- Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above.
+
+- Image tags are now validated and must be strings, if you use image tags in the `1.35` form please add quotes around the tag value.
+
+- Image references are now using the `registry` setting, if you override the registry or repository fields please use `registry` (`--set image.registry=ghcr.io --set image.repository=kyverno/kyverno` instead of `--set image.repository=ghcr.io/kyverno/kyverno`).
+
+- Admission controller `Deployment` name changed from `kyverno` to `kyverno-admission-controller`.
+- `config.excludeUsername` was renamed to `config.excludeUsernames`
+- `config.excludeGroupRole` was renamed to `config.excludeGroups`
+
+Hardcoded defaults for `config.excludeGroups` and `config.excludeUsernames` have been removed, please review those fields if you provide your own exclusions.
+
 ## Uninstalling the Chart
 
 To uninstall/delete the `kyverno` deployment:
@@ -117,120 +240,234 @@ The command removes all the Kubernetes components associated with the chart and
 
 ## Values
 
+The chart values are organised per component.
+
+### Custom resource definitions
+
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| nameOverride | string | `nil` | Override the name of the chart |
-| fullnameOverride | string | `nil` | Override the expanded name of the chart |
-| namespace | string | `nil` | Namespace the chart deploys to |
-| customLabels | object | `{}` | Additional labels |
-| rbac.create | bool | `true` | Create ClusterRoles, ClusterRoleBindings, and ServiceAccount |
-| rbac.serviceAccount.create | bool | `true` | Create a ServiceAccount |
-| rbac.serviceAccount.name | string | `nil` | The ServiceAccount name |
-| rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
-| image.registry | string | `nil` | Image registry |
-| image.repository | string | `"ghcr.io/kyverno/kyverno"` | Image repository |
-| image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
-| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
-| image.pullSecrets | list | `[]` | Image pull secrets |
-| initImage.registry | string | `nil` | Image registry |
-| initImage.repository | string | `"ghcr.io/kyverno/kyvernopre"` | Image repository |
-| initImage.tag | string | `nil` | Image tag If initImage.tag is missing, defaults to image.tag |
-| initImage.pullPolicy | string | `nil` | Image pull policy If initImage.pullPolicy is missing, defaults to image.pullPolicy |
-| initContainer.extraArgs | list | `["--loggingFormat=text"]` | Extra arguments to give to the kyvernopre binary. |
-| testImage.registry | string | `nil` | Image registry |
-| testImage.repository | string | `"busybox"` | Image repository |
-| testImage.tag | float | `1.35` | Image tag Defaults to `latest` if omitted |
-| testImage.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
-| replicaCount | int | `nil` | Desired number of pods |
-| podLabels | object | `{}` | Additional labels to add to each pod |
-| podAnnotations | object | `{}` | Additional annotations to add to each pod |
-| podSecurityContext | object | `{}` | Security context for the pod |
-| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
-| testSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the test containers |
-| priorityClassName | string | `""` | Optional priority class to be used for kyverno pods |
-| antiAffinity.enable | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. |
-| podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. |
-| podAffinity | object | `{}` | Pod affinity constraints. |
-| nodeAffinity | object | `{}` | Node affinity constraints. |
-| podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for kyverno disruptions. Cannot be used if `maxUnavailable` is set. |
-| podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for kyverno disruptions. Cannot be used if `minAvailable` is set. |
-| nodeSelector | object | `{}` | Node labels for pod assignment |
-| tolerations | list | `[]` | List of node taints to tolerate |
-| hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the kyverno's pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
-| dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
-| envVarsInit | object | `{}` | Env variables for initContainers. |
-| envVars | object | `{}` | Env variables for containers. |
-| extraArgs | list | `["--loggingFormat=text","--exceptionNamespace={{ include \"kyverno.namespace\" . }}"]` | Extra arguments to give to the binary. |
-| extraInitContainers | list | `[]` | Array of extra init containers |
-| extraContainers | list | `[]` | Array of extra containers to run alongside kyverno |
-| imagePullSecrets | object | `{}` | Image pull secrets for image verify and imageData policies. This will define the `--imagePullSecrets` Kyverno argument. |
-| existingImagePullSecrets | list | `[]` | Existing Image pull secrets for image verify and imageData policies. This will define the `--imagePullSecrets` Kyverno argument. |
-| resources.limits | object | `{"memory":"384Mi"}` | Pod resource limits |
-| resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Pod resource requests |
-| initResources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
-| initResources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
-| testResources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
-| testResources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
-| startupProbe | object | See [values.yaml](values.yaml) | Startup probe. The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
-| livenessProbe | object | See [values.yaml](values.yaml) | Liveness probe. The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
-| readinessProbe | object | See [values.yaml](values.yaml) | Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
-| generatecontrollerExtraResources | list | `[]` | Additional resources to be added to controller RBAC permissions. |
-| excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters |
-| resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters |
-| config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
-| config.existingConfig | string | `""` | Name of an existing config map (ignores default/provided resourceFilters) |
-| config.annotations | object | `{}` | Additional annotations to add to the configmap |
-| config.excludeGroupRole | string | `nil` | Exclude group role |
-| config.excludeUsername | string | `nil` | Exclude username |
-| config.webhooks | string | `nil` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |
+| crds.install | bool | `true` | Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created |
+| crds.annotations | object | `{}` | Additional CRDs annotations |
+
+### Config
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| config.create | bool | `true` | Create the configmap. |
+| config.name | string | `nil` | The configmap name (required if `create` is `false`). |
+| config.annotations | object | `{}` | Additional annotations to add to the configmap. |
+| config.enableDefaultRegistryMutation | bool | `true` | Enable registry mutation for container images. Enabled by default. |
+| config.defaultRegistry | string | `"docker.io"` | The registry hostname used for the image mutation. |
+| config.excludeGroups | list | `["system:nodes"]` | Exclude groups |
+| config.excludeUsernames | list | `[]` | Exclude usernames |
+| config.excludeRoles | list | `[]` | Exclude roles |
+| config.excludeClusterRoles | list | `[]` | Exclude roles |
 | config.generateSuccessEvents | bool | `false` | Generate success events. |
-| config.metricsConfig | object | `{"annotations":{},"namespaces":{"exclude":[],"include":[]}}` | Metrics config. |
-| config.metricsConfig.annotations | object | `{}` | Additional annotations to add to the metricsconfigmap |
-| updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
-| service.port | int | `443` | Service port. |
-| service.type | string | `"ClusterIP"` | Service type. |
-| service.nodePort | string | `nil` | Service node port. Only used if `service.type` is `NodePort`. |
-| service.annotations | object | `{}` | Service annotations. |
-| topologySpreadConstraints | list | `[]` | Topology spread constraints. |
-| metricsService.create | bool | `true` | Create service. |
-| metricsService.port | int | `8000` | Service port. Kyverno's metrics server will be exposed at this port. |
-| metricsService.type | string | `"ClusterIP"` | Service type. |
-| metricsService.nodePort | string | `nil` | Service node port. Only used if `metricsService.type` is `NodePort`. |
-| metricsService.annotations | object | `{}` | Service annotations. |
-| serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
-| serviceMonitor.additionalLabels | string | `nil` | Additional labels |
-| serviceMonitor.namespace | string | `nil` | Override namespace (default is the same as kyverno) |
-| serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
-| serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
-| serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
-| serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint |
-| createSelfSignedCert | bool | `false` | Kyverno requires a certificate key pair and corresponding certificate authority to properly register its webhooks. This can be done in one of 3 ways: 1) Use kube-controller-manager to generate a CA-signed certificate (preferred) 2) Provide your own CA and cert.    In this case, you will need to create a certificate with a specific name and data structure.    As long as you follow the naming scheme, it will be automatically picked up.    kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entries named tls.key and tls.crt)    kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt) 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false |
-| installCRDs | bool | `true` | Whether to have Helm install the Kyverno CRDs. If the CRDs are not installed by Helm, they must be added before policies can be created. |
-| crds.annotations | object | `{}` | Additional CRDs annotations. |
-| networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
-| networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
-| webhooksCleanup.enable | bool | `false` | Create a helm pre-delete hook to cleanup webhooks. |
-| webhooksCleanup.image | string | `"bitnami/kubectl:latest"` | `kubectl` image to run commands for deleting webhooks. |
-| tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. |
-| grafana.enabled | bool | `false` | Enable grafana dashboard creation. |
-| grafana.namespace | string | `nil` | Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed. |
-| grafana.annotations | object | `{}` | Grafana dashboard configmap annotations. |
+| config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
+| config.webhooks | list | `[]` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |
+| config.webhookAnnotations | object | `{}` | Defines annotations to set on webhook configurations. |
+| config.excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters |
+| config.resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters |
+
+### Metrics config
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| metricsConfig.create | bool | `true` | Create the configmap. |
+| metricsConfig.name | string | `nil` | The configmap name (required if `create` is `false`). |
+| metricsConfig.annotations | object | `{}` | Additional annotations to add to the configmap. |
+| metricsConfig.namespaces.include | list | `[]` | List of namespaces to capture metrics for. |
+| metricsConfig.namespaces.exclude | list | `[]` | list of namespaces to NOT capture metrics for. |
+| metricsConfig.metricsRefreshInterval | string | `nil` | Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics |
+
+### Features
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| features.admissionReports.enabled | bool | `true` | Enables the feature |
+| features.autoUpdateWebhooks.enabled | bool | `true` | Enables the feature |
+| features.backgroundScan.enabled | bool | `true` | Enables the feature |
+| features.backgroundScan.backgroundScanWorkers | int | `2` | Number of background scan workers |
+| features.backgroundScan.backgroundScanInterval | string | `"1h"` | Background scan interval |
+| features.backgroundScan.skipResourceFilters | bool | `true` | Skips resource filters in background scan |
+| features.configMapCaching.enabled | bool | `true` | Enables the feature |
+| features.dumpPayload.enabled | bool | `false` | Enables the feature |
+| features.forceFailurePolicyIgnore.enabled | bool | `false` | Enables the feature |
+| features.logging.format | string | `"text"` | Logging format |
+| features.logging.verbosity | int | `2` | Logging verbosity |
+| features.omitEvents.eventTypes | list | `[]` | Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`) |
+| features.policyExceptions.enabled | bool | `false` | Enables the feature |
+| features.policyExceptions.namespace | string | `""` | Restrict policy exceptions to a single namespace |
+| features.protectManagedResources.enabled | bool | `false` | Enables the feature |
+| features.registryClient.allowInsecure | bool | `false` | Allow insecure registry |
+| features.registryClient.credentialHelpers | list | `["default","google","amazon","azure","github"]` | Enable registry client helpers |
+| features.reports.chunkSize | int | `1000` | Reports chunk size |
+
+### Admission controller
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| admissionController.featuresOverride | object | `{}` | Overrides features defined at the root level |
+| admissionController.rbac.create | bool | `true` | Create RBAC resources |
+| admissionController.rbac.serviceAccount.name | string | `nil` | The ServiceAccount name |
+| admissionController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
+| admissionController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role |
+| admissionController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. |
+| admissionController.replicas | int | `nil` | Desired number of pods |
+| admissionController.podLabels | object | `{}` | Additional labels to add to each pod |
+| admissionController.podAnnotations | object | `{}` | Additional annotations to add to each pod |
+| admissionController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
+| admissionController.priorityClassName | string | `""` | Optional priority class |
+| admissionController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
+| admissionController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
+| admissionController.startupProbe | object | See [values.yaml](values.yaml) | Startup probe. The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
+| admissionController.livenessProbe | object | See [values.yaml](values.yaml) | Liveness probe. The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
+| admissionController.readinessProbe | object | See [values.yaml](values.yaml) | Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
+| admissionController.nodeSelector | object | `{}` | Node labels for pod assignment |
+| admissionController.tolerations | list | `[]` | List of node taints to tolerate |
+| admissionController.antiAffinity.enabled | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. |
+| admissionController.podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. |
+| admissionController.podAffinity | object | `{}` | Pod affinity constraints. |
+| admissionController.nodeAffinity | object | `{}` | Node affinity constraints. |
+| admissionController.topologySpreadConstraints | list | `[]` | Topology spread constraints. |
+| admissionController.podSecurityContext | object | `{}` | Security context for the pod |
+| admissionController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. |
+| admissionController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. |
+| admissionController.tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. |
+| admissionController.sigstoreVolume | object | `{"emptyDir":{}}` | Volume to be mounted in pods for TUF/cosign work. |
+| admissionController.imagePullSecrets | list | `[]` | Image pull secrets |
+| admissionController.initContainer.image.registry | string | `"ghcr.io"` | Image registry |
+| admissionController.initContainer.image.repository | string | `"kyverno/kyvernopre"` | Image repository |
+| admissionController.initContainer.image.tag | string | `nil` | Image tag If missing, defaults to image.tag |
+| admissionController.initContainer.image.pullPolicy | string | `nil` | Image pull policy If missing, defaults to image.pullPolicy |
+| admissionController.initContainer.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
+| admissionController.initContainer.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
+| admissionController.initContainer.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Container security context |
+| admissionController.initContainer.extraArgs | object | `{}` | Additional container args. |
+| admissionController.initContainer.extraEnvVars | list | `[]` | Additional container environment variables. |
+| admissionController.container.image.registry | string | `"ghcr.io"` | Image registry |
+| admissionController.container.image.repository | string | `"kyverno/kyverno"` | Image repository |
+| admissionController.container.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
+| admissionController.container.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
+| admissionController.container.resources.limits | object | `{"memory":"384Mi"}` | Pod resource limits |
+| admissionController.container.resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Pod resource requests |
+| admissionController.container.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Container security context |
+| admissionController.container.extraArgs | object | `{}` | Additional container args. |
+| admissionController.container.extraEnvVars | list | `[]` | Additional container environment variables. |
+| admissionController.extraInitContainers | list | `[]` | Array of extra init containers |
+| admissionController.extraContainers | list | `[]` | Array of extra containers to run alongside kyverno |
+| admissionController.service.port | int | `443` | Service port. |
+| admissionController.service.type | string | `"ClusterIP"` | Service type. |
+| admissionController.service.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |
+| admissionController.service.annotations | object | `{}` | Service annotations. |
+| admissionController.metricsService.create | bool | `true` | Create service. |
+| admissionController.metricsService.port | int | `8000` | Service port. Kyverno's metrics server will be exposed at this port. |
+| admissionController.metricsService.type | string | `"ClusterIP"` | Service type. |
+| admissionController.metricsService.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |
+| admissionController.metricsService.annotations | object | `{}` | Service annotations. |
+| admissionController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
+| admissionController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
+| admissionController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
+| admissionController.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
+| admissionController.serviceMonitor.namespace | string | `nil` | Override namespace |
+| admissionController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
+| admissionController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
+| admissionController.serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
+| admissionController.serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint |
+| admissionController.tracing.enabled | bool | `false` | Enable tracing |
+| admissionController.tracing.address | string | `nil` | Traces receiver address |
+| admissionController.tracing.port | string | `nil` | Traces receiver port |
+| admissionController.tracing.creds | string | `""` | Traces receiver credentials |
+| admissionController.metering.disabled | bool | `false` | Disable metrics export |
+| admissionController.metering.config | string | `"prometheus"` | Otel configuration, can be `prometheus` or `grpc` |
+| admissionController.metering.port | int | `8000` | Prometheus endpoint port |
+| admissionController.metering.collector | string | `""` | Otel collector endpoint |
+| admissionController.metering.creds | string | `""` | Otel collector credentials |
+
+### Background controller
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| backgroundController.featuresOverride | object | `{}` | Overrides features defined at the root level |
+| backgroundController.enabled | bool | `true` | Enable background controller. |
+| backgroundController.rbac.create | bool | `true` | Create RBAC resources |
+| backgroundController.rbac.serviceAccount.name | string | `nil` | Service account name |
+| backgroundController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
+| backgroundController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role |
+| backgroundController.image.registry | string | `"ghcr.io"` | Image registry |
+| backgroundController.image.repository | string | `"kyverno/background-controller"` | Image repository |
+| backgroundController.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
+| backgroundController.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
+| backgroundController.imagePullSecrets | list | `[]` | Image pull secrets |
+| backgroundController.replicas | int | `nil` | Desired number of pods |
+| backgroundController.podLabels | object | `{}` | Additional labels to add to each pod |
+| backgroundController.podAnnotations | object | `{}` | Additional annotations to add to each pod |
+| backgroundController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
+| backgroundController.priorityClassName | string | `""` | Optional priority class |
+| backgroundController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
+| backgroundController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
+| backgroundController.extraArgs | object | `{}` | Extra arguments passed to the container on the command line |
+| backgroundController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits |
+| backgroundController.resources.requests | object | `{"cpu":"100m","memory":"64Mi"}` | Pod resource requests |
+| backgroundController.nodeSelector | object | `{}` | Node labels for pod assignment |
+| backgroundController.tolerations | list | `[]` | List of node taints to tolerate |
+| backgroundController.antiAffinity.enabled | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. |
+| backgroundController.podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. |
+| backgroundController.podAffinity | object | `{}` | Pod affinity constraints. |
+| backgroundController.nodeAffinity | object | `{}` | Node affinity constraints. |
+| backgroundController.topologySpreadConstraints | list | `[]` | Topology spread constraints. |
+| backgroundController.podSecurityContext | object | `{}` | Security context for the pod |
+| backgroundController.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
+| backgroundController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. |
+| backgroundController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. |
+| backgroundController.metricsService.create | bool | `true` | Create service. |
+| backgroundController.metricsService.port | int | `8000` | Service port. Metrics server will be exposed at this port. |
+| backgroundController.metricsService.type | string | `"ClusterIP"` | Service type. |
+| backgroundController.metricsService.nodePort | string | `nil` | Service node port. Only used if `metricsService.type` is `NodePort`. |
+| backgroundController.metricsService.annotations | object | `{}` | Service annotations. |
+| backgroundController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
+| backgroundController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
+| backgroundController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
+| backgroundController.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
+| backgroundController.serviceMonitor.namespace | string | `nil` | Override namespace |
+| backgroundController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
+| backgroundController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
+| backgroundController.serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
+| backgroundController.serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint |
+| backgroundController.tracing.enabled | bool | `false` | Enable tracing |
+| backgroundController.tracing.address | string | `nil` | Traces receiver address |
+| backgroundController.tracing.port | string | `nil` | Traces receiver port |
+| backgroundController.tracing.creds | string | `""` | Traces receiver credentials |
+| backgroundController.metering.disabled | bool | `false` | Disable metrics export |
+| backgroundController.metering.config | string | `"prometheus"` | Otel configuration, can be `prometheus` or `grpc` |
+| backgroundController.metering.port | int | `8000` | Prometheus endpoint port |
+| backgroundController.metering.collector | string | `""` | Otel collector endpoint |
+| backgroundController.metering.creds | string | `""` | Otel collector credentials |
+
+### Cleanup controller
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| cleanupController.featuresOverride | object | `{}` | Overrides features defined at the root level |
 | cleanupController.enabled | bool | `true` | Enable cleanup controller. |
 | cleanupController.rbac.create | bool | `true` | Create RBAC resources |
 | cleanupController.rbac.serviceAccount.name | string | `nil` | Service account name |
+| cleanupController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
 | cleanupController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role |
 | cleanupController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. |
-| cleanupController.image.registry | string | `nil` | Image registry |
-| cleanupController.image.repository | string | `"ghcr.io/kyverno/cleanup-controller"` | Image repository |
+| cleanupController.image.registry | string | `"ghcr.io"` | Image registry |
+| cleanupController.image.repository | string | `"kyverno/cleanup-controller"` | Image repository |
 | cleanupController.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
 | cleanupController.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
-| cleanupController.image.pullSecrets | list | `[]` | Image pull secrets |
+| cleanupController.imagePullSecrets | list | `[]` | Image pull secrets |
 | cleanupController.replicas | int | `nil` | Desired number of pods |
+| cleanupController.podLabels | object | `{}` | Additional labels to add to each pod |
+| cleanupController.podAnnotations | object | `{}` | Additional annotations to add to each pod |
 | cleanupController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
 | cleanupController.priorityClassName | string | `""` | Optional priority class |
 | cleanupController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
 | cleanupController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
-| cleanupController.extraArgs | list | `[]` | Extra arguments passed to the container on the command line |
+| cleanupController.extraArgs | object | `{}` | Extra arguments passed to the container on the command line |
 | cleanupController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits |
 | cleanupController.resources.requests | object | `{"cpu":"100m","memory":"64Mi"}` | Pod resource requests |
 | cleanupController.startupProbe | object | See [values.yaml](values.yaml) | Startup probe. The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
@@ -256,9 +493,11 @@ The command removes all the Kubernetes components associated with the chart and
 | cleanupController.metricsService.type | string | `"ClusterIP"` | Service type. |
 | cleanupController.metricsService.nodePort | string | `nil` | Service node port. Only used if `metricsService.type` is `NodePort`. |
 | cleanupController.metricsService.annotations | object | `{}` | Service annotations. |
+| cleanupController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
+| cleanupController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
 | cleanupController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
-| cleanupController.serviceMonitor.additionalLabels | string | `nil` | Additional labels |
-| cleanupController.serviceMonitor.namespace | string | `nil` | Override namespace (default is the same as kyverno) |
+| cleanupController.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
+| cleanupController.serviceMonitor.namespace | string | `nil` | Override namespace |
 | cleanupController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
 | cleanupController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
 | cleanupController.serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
@@ -267,18 +506,151 @@ The command removes all the Kubernetes components associated with the chart and
 | cleanupController.tracing.address | string | `nil` | Traces receiver address |
 | cleanupController.tracing.port | string | `nil` | Traces receiver port |
 | cleanupController.tracing.creds | string | `""` | Traces receiver credentials |
-| cleanupController.logging.format | string | `"text"` | Logging format |
 | cleanupController.metering.disabled | bool | `false` | Disable metrics export |
 | cleanupController.metering.config | string | `"prometheus"` | Otel configuration, can be `prometheus` or `grpc` |
 | cleanupController.metering.port | int | `8000` | Prometheus endpoint port |
 | cleanupController.metering.collector | string | `""` | Otel collector endpoint |
 | cleanupController.metering.creds | string | `""` | Otel collector credentials |
 
+### Reports controller
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| reportsController.featuresOverride | object | `{}` | Overrides features defined at the root level |
+| reportsController.enabled | bool | `true` | Enable reports controller. |
+| reportsController.rbac.create | bool | `true` | Create RBAC resources |
+| reportsController.rbac.serviceAccount.name | string | `nil` | Service account name |
+| reportsController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
+| reportsController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role |
+| reportsController.image.registry | string | `"ghcr.io"` | Image registry |
+| reportsController.image.repository | string | `"kyverno/reports-controller"` | Image repository |
+| reportsController.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
+| reportsController.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
+| reportsController.imagePullSecrets | list | `[]` | Image pull secrets |
+| reportsController.replicas | int | `nil` | Desired number of pods |
+| reportsController.podLabels | object | `{}` | Additional labels to add to each pod |
+| reportsController.podAnnotations | object | `{}` | Additional annotations to add to each pod |
+| reportsController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
+| reportsController.priorityClassName | string | `""` | Optional priority class |
+| reportsController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
+| reportsController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
+| reportsController.extraArgs | object | `{}` | Extra arguments passed to the container on the command line |
+| reportsController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits |
+| reportsController.resources.requests | object | `{"cpu":"100m","memory":"64Mi"}` | Pod resource requests |
+| reportsController.nodeSelector | object | `{}` | Node labels for pod assignment |
+| reportsController.tolerations | list | `[]` | List of node taints to tolerate |
+| reportsController.antiAffinity.enabled | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. |
+| reportsController.podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. |
+| reportsController.podAffinity | object | `{}` | Pod affinity constraints. |
+| reportsController.nodeAffinity | object | `{}` | Node affinity constraints. |
+| reportsController.topologySpreadConstraints | list | `[]` | Topology spread constraints. |
+| reportsController.podSecurityContext | object | `{}` | Security context for the pod |
+| reportsController.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
+| reportsController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. |
+| reportsController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. |
+| reportsController.tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. |
+| reportsController.sigstoreVolume | object | `{"emptyDir":{}}` | Volume to be mounted in pods for TUF/cosign work. |
+| reportsController.metricsService.create | bool | `true` | Create service. |
+| reportsController.metricsService.port | int | `8000` | Service port. Metrics server will be exposed at this port. |
+| reportsController.metricsService.type | string | `"ClusterIP"` | Service type. |
+| reportsController.metricsService.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |
+| reportsController.metricsService.annotations | object | `{}` | Service annotations. |
+| reportsController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
+| reportsController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
+| reportsController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
+| reportsController.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
+| reportsController.serviceMonitor.namespace | string | `nil` | Override namespace |
+| reportsController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
+| reportsController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
+| reportsController.serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
+| reportsController.serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint |
+| reportsController.tracing.enabled | bool | `false` | Enable tracing |
+| reportsController.tracing.address | string | `nil` | Traces receiver address |
+| reportsController.tracing.port | string | `nil` | Traces receiver port |
+| reportsController.tracing.creds | string | `nil` | Traces receiver credentials |
+| reportsController.metering.disabled | bool | `false` | Disable metrics export |
+| reportsController.metering.config | string | `"prometheus"` | Otel configuration, can be `prometheus` or `grpc` |
+| reportsController.metering.port | int | `8000` | Prometheus endpoint port |
+| reportsController.metering.collector | string | `nil` | Otel collector endpoint |
+| reportsController.metering.creds | string | `nil` | Otel collector credentials |
+
+### Grafana
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| grafana.enabled | bool | `false` | Enable grafana dashboard creation. |
+| grafana.configMapName | string | `"{{ include \"kyverno.fullname\" . }}-grafana"` | Configmap name template. |
+| grafana.namespace | string | `nil` | Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed. |
+| grafana.annotations | object | `{}` | Grafana dashboard configmap annotations. |
+
+### Webhooks cleanup
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| webhooksCleanup.enabled | bool | `false` | Create a helm pre-delete hook to cleanup webhooks. |
+| webhooksCleanup.image | string | `"bitnami/kubectl:latest"` | `kubectl` image to run commands for deleting webhooks. |
+| webhooksCleanup.imagePullSecrets | list | `[]` | Image pull secrets |
+
+### Test
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| test.image.registry | string | `nil` | Image registry |
+| test.image.repository | string | `"busybox"` | Image repository |
+| test.image.tag | string | `"1.35"` | Image tag Defaults to `latest` if omitted |
+| test.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
+| test.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
+| test.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
+| test.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the test containers |
+
+### Api version override
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| apiVersionOverride.podDisruptionBudget | string | `nil` | Override api version used to create `PodDisruptionBudget`` resources. When not specified the chart will check if `policy/v1/PodDisruptionBudget` is available to determine the api version automatically. |
+
+### Cleanup jobs
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| cleanupJobs.admissionReports.enabled | bool | `true` | Enable cleanup cronjob |
+| cleanupJobs.admissionReports.image.registry | string | `nil` | Image registry |
+| cleanupJobs.admissionReports.image.repository | string | `"bitnami/kubectl"` | Image repository |
+| cleanupJobs.admissionReports.image.tag | string | `"1.26.4"` | Image tag Defaults to `latest` if omitted |
+| cleanupJobs.admissionReports.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
+| cleanupJobs.admissionReports.schedule | string | `"*/10 * * * *"` | Cronjob schedule |
+| cleanupJobs.admissionReports.threshold | int | `10000` | Reports threshold, if number of reports are above this value the cronjob will start deleting them |
+| cleanupJobs.admissionReports.history | object | `{"failure":1,"success":1}` | Cronjob history |
+| cleanupJobs.admissionReports.podSecurityContext | object | `{}` | Security context for the pod |
+| cleanupJobs.admissionReports.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
+| cleanupJobs.clusterAdmissionReports.enabled | bool | `true` | Enable cleanup cronjob |
+| cleanupJobs.clusterAdmissionReports.image.registry | string | `nil` | Image registry |
+| cleanupJobs.clusterAdmissionReports.image.repository | string | `"bitnami/kubectl"` | Image repository |
+| cleanupJobs.clusterAdmissionReports.image.tag | string | `"1.26.4"` | Image tag Defaults to `latest` if omitted |
+| cleanupJobs.clusterAdmissionReports.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
+| cleanupJobs.clusterAdmissionReports.schedule | string | `"*/10 * * * *"` | Cronjob schedule |
+| cleanupJobs.clusterAdmissionReports.threshold | int | `10000` | Reports threshold, if number of reports are above this value the cronjob will start deleting them |
+| cleanupJobs.clusterAdmissionReports.history | object | `{"failure":1,"success":1}` | Cronjob history |
+| cleanupJobs.clusterAdmissionReports.podSecurityContext | object | `{}` | Security context for the pod |
+| cleanupJobs.clusterAdmissionReports.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
+
+### Other
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| nameOverride | string | `nil` | Override the name of the chart |
+| fullnameOverride | string | `nil` | Override the expanded name of the chart |
+| namespaceOverride | string | `nil` | Override the namespace the chart deploys to |
+| upgrade.fromV2 | bool | `false` | Upgrading from v2 to v3 is not allowed by default, set this to true once changes have been reviewed. |
+| imagePullSecrets | object | `{}` | Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument |
+| existingImagePullSecrets | list | `[]` | Existing Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument |
+| customLabels | object | `{}` | Additional labels |
+
 ## TLS Configuration
 
-If `createSelfSignedCert` is `true`, Helm will take care of the steps of creating an external self-signed certificate described in option 2 of the [installation documentation](https://kyverno.io/docs/installation/#option-2-use-your-own-ca-signed-certificate)
+If `admissionController.createSelfSignedCert` is `true`, Helm will take care of the steps of creating an external self-signed certificate described in option 2 of the [installation documentation](https://kyverno.io/docs/installation/#option-2-use-your-own-ca-signed-certificate)
 
-If `createSelfSignedCert` is `false`, Kyverno will generate a self-signed CA and a certificate, or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the [documentation](https://kyverno.io/docs/installation/#customize-the-installation-of-kyverno).
+If `admissionController.createSelfSignedCert` is `false`, Kyverno will generate a self-signed CA and a certificate, or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the [documentation](https://kyverno.io/docs/installation/#customize-the-installation-of-kyverno).
 
 ## Default resource filters
 
diff --git a/scripts/helmcharts/toolings/charts/kyverno/grafana/dashboard.json b/scripts/helmcharts/toolings/charts/kyverno/grafana/dashboard.json
index e7fe1bd65..a7b528495 100644
--- a/scripts/helmcharts/toolings/charts/kyverno/grafana/dashboard.json
+++ b/scripts/helmcharts/toolings/charts/kyverno/grafana/dashboard.json
@@ -2847,8 +2847,8 @@
     },
     "timepicker": {},
     "timezone": "",
-    "title": "Kyverno",
+    "title": "Kyverno Metrics",
     "folder": "Kyverno",
     "uid": "Rg8lWBG7k",
     "version": "1.4.3"
-}
\ No newline at end of file
+}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/NOTES.txt b/scripts/helmcharts/toolings/charts/kyverno/templates/NOTES.txt
index 7955e169e..5cb16e150 100644
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/NOTES.txt
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/NOTES.txt
@@ -1,12 +1,30 @@
 Chart version: {{ .Chart.Version }}
-Kyverno version: {{ default .Chart.AppVersion (default .Values.image.tag .Values.initImage.tag) }}
+Kyverno version: {{ default .Chart.AppVersion (default .Values.admissionController.container.image.tag .Values.admissionController.initContainer.image.tag) }}
 
 Thank you for installing {{ .Chart.Name }}! Your release is named {{ .Release.Name }}.
 
-{{- if not .Values.replicaCount }}
-⚠️  WARNING: Setting replicas count below 3 means Kyverno is not running in high availability mode.
-{{- else if lt (int .Values.replicaCount) 3 }}
-⚠️  WARNING: Setting replicas count below 3 means Kyverno is not running in high availability mode.
+The following components have been installed in your cluster:
+{{- if .Values.crds.install }}
+- CRDs
+{{- end }}
+- Admission controller
+{{- if .Values.reportsController.enabled }}
+- Reports controller
+{{- end }}
+{{- if .Values.cleanupController.enabled }}
+- Cleanup controller
+{{- end }}
+{{- if .Values.backgroundController.enabled }}
+- Background controller
+{{- end }}
+{{- if .Values.grafana.enabled }}
+- Grafana dashboard
+{{- end }}
+
+{{ if not .Values.admissionController.replicas }}
+⚠️  WARNING: Setting the admission controller replica count below 3 means Kyverno is not running in high availability mode.
+{{- else if lt (int .Values.admissionController.replicas) 3 }}
+⚠️  WARNING: Setting the admission controller replica count below 3 means Kyverno is not running in high availability mode.
 {{- end }}
 
 💡 Note: There is a trade-off when deciding which approach to take regarding Namespace exclusions. Please see the documentation at https://kyverno.io/docs/installation/#security-vs-operability to understand the risks.
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/_helpers.tpl b/scripts/helmcharts/toolings/charts/kyverno/templates/_helpers.tpl
index b3354e960..e98df2411 100644
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/_helpers.tpl
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/_helpers.tpl
@@ -1,204 +1,62 @@
 {{/* vim: set filetype=mustache: */}}
 
-{{/* Expand the name of the chart. */}}
-{{- define "kyverno.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "kyverno.fullname" -}}
-{{- if .Values.fullnameOverride -}}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- if contains $name .Release.Name -}}
-{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-{{- end -}}
-{{- end -}}
-
-{{/* Create chart name and version as used by the chart label. */}}
-{{- define "kyverno.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{/* Helm labels */}}
-{{- define "kyverno.helmLabels" -}}
-{{- if not .Values.templating.enabled -}}
-helm.sh/chart: {{ template "kyverno.chart" . }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end -}}
-{{- end -}}
-
-{{/* Version labels */}}
-{{- define "kyverno.versionLabels" -}}
+{{- define "kyverno.chartVersion" -}}
 {{- if .Values.templating.enabled -}}
-app.kubernetes.io/version: {{ required "templating.version is required when templating.enabled is true" .Values.templating.version | replace "+" "_" }}
+  {{- required "templating.version is required when templating.enabled is true" .Values.templating.version | replace "+" "_" -}}
 {{- else -}}
-app.kubernetes.io/version: {{ .Chart.Version | replace "+" "_" }}
+  {{- .Chart.Version | replace "+" "_" -}}
 {{- end -}}
 {{- end -}}
 
-{{/* CRD labels */}}
-{{- define "kyverno.crdLabels" -}}
-app.kubernetes.io/component: kyverno
-{{- with (include "kyverno.helmLabels" .) }}
-{{ . }}
-{{- end }}
-{{- with (include "kyverno.matchLabels" .) }}
-{{ . }}
-{{- end }}
-app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
-{{- with (include "kyverno.versionLabels" .) }}
-{{ . }}
-{{- end }}
+{{- define "kyverno.features.flags" -}}
+{{- $flags := list -}}
+{{- with .admissionReports -}}
+  {{- $flags = append $flags (print "--admissionReports=" .enabled) -}}
 {{- end -}}
-
-{{/* Helm required labels */}}
-{{- define "kyverno.labels" -}}
-app.kubernetes.io/component: kyverno
-{{- with (include "kyverno.helmLabels" .) }}
-{{ . }}
-{{- end }}
-{{- with (include "kyverno.matchLabels" .) }}
-{{ . }}
-{{- end }}
-app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
-{{- with (include "kyverno.versionLabels" .) }}
-{{ . }}
-{{- end }}
-{{- if .Values.customLabels }}
-{{ toYaml .Values.customLabels }}
-{{- end }}
+{{- with .autoUpdateWebhooks -}}
+  {{- $flags = append $flags (print "--autoUpdateWebhooks=" .enabled) -}}
 {{- end -}}
-
-{{/* Helm required labels */}}
-{{- define "kyverno.test-labels" -}}
-{{- with (include "kyverno.helmLabels" .) }}
-{{ . }}
-{{- end }}
-app: kyverno
-app.kubernetes.io/component: kyverno
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/name: {{ template "kyverno.name" . }}-test
-app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
-app.kubernetes.io/version: "{{ .Chart.Version | replace "+" "_" }}"
+{{- with .backgroundScan -}}
+  {{- $flags = append $flags (print "--backgroundScan=" .enabled) -}}
+  {{- $flags = append $flags (print "--backgroundScanWorkers=" .backgroundScanWorkers) -}}
+  {{- $flags = append $flags (print "--backgroundScanInterval=" .backgroundScanInterval) -}}
+  {{- $flags = append $flags (print "--skipResourceFilters=" .skipResourceFilters) -}}
 {{- end -}}
-
-{{/* matchLabels */}}
-{{- define "kyverno.matchLabels" -}}
-{{- if .Values.templating.enabled -}}
-app: kyverno
-{{- end }}
-app.kubernetes.io/name: {{ template "kyverno.name" . }}
-{{- if not .Values.templating.enabled }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
+{{- with .configMapCaching -}}
+  {{- $flags = append $flags (print "--enableConfigMapCaching=" .enabled) -}}
 {{- end -}}
-
-{{/* Get the config map name. */}}
-{{- define "kyverno.configMapName" -}}
-{{- printf "%s" (default (include "kyverno.fullname" .) .Values.config.existingConfig) -}}
+{{- with .dumpPayload -}}
+  {{- $flags = append $flags (print "--dumpPayload=" .enabled) -}}
 {{- end -}}
-
-{{/* Get the metrics config map name. */}}
-{{- define "kyverno.metricsConfigMapName" -}}
-{{- printf "%s" (default (printf "%s-metrics" (include "kyverno.fullname" .)) .Values.config.existingMetricsConfig) -}}
+{{- with .forceFailurePolicyIgnore -}}
+  {{- $flags = append $flags (print "--forceFailurePolicyIgnore=" .enabled) -}}
 {{- end -}}
-
-{{/* Get the namespace name. */}}
-{{- define "kyverno.namespace" -}}
-{{- if .Values.namespace -}}
-    {{- .Values.namespace -}}
-{{- else -}}
-    {{- .Release.Namespace -}}
+{{- with .logging -}}
+  {{- $flags = append $flags (print "--loggingFormat=" .format) -}}
+  {{- $flags = append $flags (print "--v=" (join "," .verbosity)) -}}
 {{- end -}}
-{{- end -}}
-
-{{/* Create the name of the service to use */}}
-{{- define "kyverno.serviceName" -}}
-{{- printf "%s-svc" (include "kyverno.fullname" .) | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{/* Create the name of the service account to use */}}
-{{- define "kyverno.serviceAccountName" -}}
-{{- if .Values.rbac.serviceAccount.create -}}
-    {{ default (include "kyverno.fullname" .) .Values.rbac.serviceAccount.name }}
-{{- else -}}
-    {{ default "default" .Values.rbac.serviceAccount.name }}
-{{- end -}}
-{{- end -}}
-
-{{/* Create the default PodDisruptionBudget to use */}}
-{{- define "kyverno.podDisruptionBudget.spec" -}}
-{{- if and .Values.podDisruptionBudget.minAvailable .Values.podDisruptionBudget.maxUnavailable }}
-{{- fail "Cannot set both .Values.podDisruptionBudget.minAvailable and .Values.podDisruptionBudget.maxUnavailable" -}}
-{{- end }}
-{{- if not .Values.podDisruptionBudget.maxUnavailable }}
-minAvailable: {{ default 1 .Values.podDisruptionBudget.minAvailable }}
-{{- end }}
-{{- if .Values.podDisruptionBudget.maxUnavailable }}
-maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
-{{- end }}
-{{- end }}
-
-{{- define "kyverno.securityContext" -}}
-{{- if semverCompare "<1.19" .Capabilities.KubeVersion.Version }}
-{{ toYaml (omit .Values.securityContext "seccompProfile") }}
-{{- else }}
-{{ toYaml .Values.securityContext }}
-{{- end }}
-{{- end }}
-
-{{- define "kyverno.testSecurityContext" -}}
-{{- if semverCompare "<1.19" .Capabilities.KubeVersion.Version }}
-{{ toYaml (omit .Values.testSecurityContext "seccompProfile") }}
-{{- else }}
-{{ toYaml .Values.testSecurityContext }}
-{{- end }}
-{{- end }}
-
-{{- define "kyverno.imagePullSecret" }}
-{{- printf "{\"auths\":{\"%s\":{\"auth\":\"%s\"}}}" .registry (printf "%s:%s" .username .password | b64enc) | b64enc }}
-{{- end }}
-
-{{- define "kyverno.image" -}}
-  {{- if .image.registry -}}
-{{ .image.registry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
-  {{- else -}}
-{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
+{{- with .omitEvents -}}
+  {{- with .eventTypes -}}
+    {{- $flags = append $flags (print "--omit-events=" (join "," .)) -}}
   {{- end -}}
-{{- end }}
-
-{{- define "kyverno.resourceFilters" -}}
-{{- $resourceFilters := .Values.config.resourceFilters }}
-{{- if .Values.excludeKyvernoNamespace }}
-  {{- $resourceFilters = prepend .Values.config.resourceFilters (printf "[*,%s,*]" (include "kyverno.namespace" .)) }}
-{{- end }}
-{{- range $exclude := .Values.resourceFiltersExcludeNamespaces }}
-  {{- range $filter := $resourceFilters }}
-    {{- if (contains (printf ",%s," $exclude) $filter) }}
-      {{- $resourceFilters = without $resourceFilters $filter }}
-    {{- end }}
-  {{- end }}
-{{- end }}
-{{- tpl (join "" $resourceFilters) . }}
-{{- end }}
-
-{{- define "kyverno.webhooks" -}}
-{{- $excludeDefault := dict "key" "kubernetes.io/metadata.name" "operator" "NotIn" "values" (list (include "kyverno.namespace" .)) }}
-{{- $newWebhook := list }}
-{{- range $webhook := .Values.config.webhooks }}
-  {{- $namespaceSelector := default dict $webhook.namespaceSelector }}
-  {{- $matchExpressions := default list $namespaceSelector.matchExpressions }}
-  {{- $newNamespaceSelector := dict "matchLabels" $namespaceSelector.matchLabels "matchExpressions" (append $matchExpressions $excludeDefault) }}
-  {{- $newWebhook = append $newWebhook (merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector)) }}
-{{- end }}
-{{- $newWebhook | toJson }}
-{{- end }}
+{{- end -}}
+{{- with .policyExceptions -}}
+  {{- $flags = append $flags (print "--enablePolicyException=" .enabled) -}}
+  {{- with .namespace -}}
+    {{- $flags = append $flags (print "--exceptionNamespace=" .) -}}
+  {{- end -}}
+{{- end -}}
+{{- with .protectManagedResources -}}
+  {{- $flags = append $flags (print "--protectManagedResources=" .enabled) -}}
+{{- end -}}
+{{- with .reports -}}
+  {{- $flags = append $flags (print "--reportsChunkSize=" .chunkSize) -}}
+{{- end -}}
+{{- with .registryClient -}}
+  {{- $flags = append $flags (print "--allowInsecureRegistry=" .allowInsecure) -}}
+  {{- $flags = append $flags (print "--registryCredentialHelpers=" (join "," .credentialHelpers)) -}}
+{{- end -}}
+{{- with $flags -}}
+  {{- toYaml . -}}
+{{- end -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/_helpers/_deployment.tpl b/scripts/helmcharts/toolings/charts/kyverno/templates/_helpers/_deployment.tpl
new file mode 100644
index 000000000..2b6ed419e
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/_helpers/_deployment.tpl
@@ -0,0 +1,8 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.deployment.replicas" -}}
+  {{- if eq (int (default 1 .)) 0 -}}
+    {{- fail "Kyverno does not support running with 0 replicas. Please provide a non-zero integer value." -}}
+  {{- end -}}
+  {{- . -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/_helpers/_image.tpl b/scripts/helmcharts/toolings/charts/kyverno/templates/_helpers/_image.tpl
new file mode 100644
index 000000000..87d6d3b60
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/_helpers/_image.tpl
@@ -0,0 +1,13 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.image" -}}
+{{- $tag := default .defaultTag .image.tag -}}
+{{- if not (typeIs "string" $tag) -}}
+  {{ fail "Image tags must be strings." }}
+{{- end -}}
+{{- if .image.registry -}}
+  {{- print .image.registry "/" (required "An image repository is required" .image.repository) ":" $tag -}}
+{{- else -}}
+  {{- print (required "An image repository is required" .image.repository) ":" $tag -}}
+{{- end -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/_helpers/_labels.tpl b/scripts/helmcharts/toolings/charts/kyverno/templates/_helpers/_labels.tpl
new file mode 100644
index 000000000..820778112
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/_helpers/_labels.tpl
@@ -0,0 +1,43 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.labels.merge" -}}
+{{- $labels := dict -}}
+{{- range . -}}
+  {{- $labels = merge $labels (fromYaml .) -}}
+{{- end -}}
+{{- with $labels -}}
+  {{- toYaml $labels -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.labels.helm" -}}
+{{- if not .Values.templating.enabled -}}
+helm.sh/chart: {{ template "kyverno.chart" . }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.labels.version" -}}
+app.kubernetes.io/version: {{ template "kyverno.chartVersion" . }}
+{{- end -}}
+
+{{- define "kyverno.labels.common" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.helm" .)
+  (include "kyverno.labels.version" .)
+  (toYaml .Values.customLabels)
+) -}}
+{{- end -}}
+
+{{- define "kyverno.matchLabels.common" -}}
+app.kubernetes.io/part-of: {{ template "kyverno.fullname" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{- define "kyverno.labels.component" -}}
+app.kubernetes.io/component: {{ . }}
+{{- end -}}
+
+{{- define "kyverno.labels.name" -}}
+app.kubernetes.io/name: {{ . }}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/_helpers/_names.tpl b/scripts/helmcharts/toolings/charts/kyverno/templates/_helpers/_names.tpl
new file mode 100644
index 000000000..90ed08f6c
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/_helpers/_names.tpl
@@ -0,0 +1,26 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "kyverno.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+  {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+  {{- $name := default .Chart.Name .Values.nameOverride -}}
+  {{- if contains $name .Release.Name -}}
+    {{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+  {{- else -}}
+    {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "kyverno.namespace" -}}
+{{ default .Release.Namespace .Values.namespaceOverride }}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/_helpers/_pdb.tpl b/scripts/helmcharts/toolings/charts/kyverno/templates/_helpers/_pdb.tpl
new file mode 100644
index 000000000..4d4af9059
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/_helpers/_pdb.tpl
@@ -0,0 +1,23 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.pdb.apiVersion" -}}
+{{- if .Values.apiVersionOverride.podDisruptionBudget -}}
+  {{- .Values.apiVersionOverride.podDisruptionBudget -}}
+{{- else if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}}
+  policy/v1
+{{- else -}}
+  policy/v1beta1
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.pdb.spec" -}}
+{{- if and .minAvailable .maxUnavailable -}}
+  {{- fail "Cannot set both .minAvailable and .maxUnavailable" -}}
+{{- end -}}
+{{- if not .maxUnavailable }}
+minAvailable: {{ default 1 .minAvailable }}
+{{- end }}
+{{- if .maxUnavailable }}
+maxUnavailable: {{ .maxUnavailable }}
+{{- end }}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/_templating/_helpers.tpl b/scripts/helmcharts/toolings/charts/kyverno/templates/_templating/_helpers.tpl
new file mode 100644
index 000000000..36650be3d
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/_templating/_helpers.tpl
@@ -0,0 +1,8 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.templating.labels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.common" .)
+  (include "kyverno.matchLabels.common" .)
+) -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/_templating/namespace.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/_templating/namespace.yaml
new file mode 100644
index 000000000..b213c83fe
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/_templating/namespace.yaml
@@ -0,0 +1,8 @@
+{{- if .Values.templating.enabled -}}
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ include "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.templating.labels" . | nindent 4 }}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/_helpers.tpl b/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/_helpers.tpl
new file mode 100644
index 000000000..2c9ece0a2
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/_helpers.tpl
@@ -0,0 +1,35 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.admission-controller.name" -}}
+{{ template "kyverno.name" . }}-admission-controller
+{{- end -}}
+
+{{- define "kyverno.admission-controller.labels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.common" .)
+  (include "kyverno.admission-controller.matchLabels" .)
+) -}}
+{{- end -}}
+
+{{- define "kyverno.admission-controller.matchLabels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.matchLabels.common" .)
+  (include "kyverno.labels.component" "admission-controller")
+) -}}
+{{- end -}}
+
+{{- define "kyverno.admission-controller.roleName" -}}
+{{ include "kyverno.fullname" . }}:admission-controller
+{{- end -}}
+
+{{- define "kyverno.admission-controller.serviceAccountName" -}}
+{{- if .Values.admissionController.rbac.create -}}
+    {{ default (include "kyverno.admission-controller.name" .) .Values.admissionController.rbac.serviceAccount.name }}
+{{- else -}}
+    {{ required "A service account name is required when `rbac.create` is set to `false`" .Values.admissionController.rbac.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.admission-controller.serviceName" -}}
+{{- printf "%s-svc" (include "kyverno.fullname" .) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/clusterrole.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/clusterrole.yaml
new file mode 100644
index 000000000..937eb2303
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/clusterrole.yaml
@@ -0,0 +1,116 @@
+{{- if .Values.admissionController.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.admission-controller.roleName" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+aggregationRule:
+  clusterRoleSelectors:
+    - matchLabels:
+        {{- include "kyverno.admission-controller.matchLabels" . | nindent 8 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.admission-controller.roleName" . }}:core
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - mutatingwebhookconfigurations
+      - validatingwebhookconfigurations
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - deletecollection
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - roles
+      - clusterroles
+      - rolebindings
+      - clusterrolebindings
+    verbs:
+      - watch
+      - list
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - policies
+      - policies/status
+      - clusterpolicies
+      - clusterpolicies/status
+      - updaterequests
+      - updaterequests/status
+      - admissionreports
+      - clusteradmissionreports
+      - backgroundscanreports
+      - clusterbackgroundscanreports
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - deletecollection
+  - apiGroups:
+      - wgpolicyk8s.io
+    resources:
+      - policyreports
+      - policyreports/status
+      - clusterpolicyreports
+      - clusterpolicyreports/status
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - deletecollection
+  - apiGroups:
+      - ''
+      - events.k8s.io
+    resources:
+      - events
+    verbs:
+      - create
+      - update
+      - patch
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - subjectaccessreviews
+    verbs:
+      - create
+  - apiGroups:
+      - '*'
+    resources:
+      - '*'
+    verbs:
+      - get
+      - list
+      - watch
+{{- with .Values.admissionController.rbac.clusterRole.extraResources }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.admission-controller.roleName" $ }}:additional
+  labels:
+    {{- include "kyverno.admission-controller.labels" $ | nindent 4 }}
+rules:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml
new file mode 100644
index 000000000..6272deec4
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.admissionController.rbac.create -}}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.admission-controller.roleName" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "kyverno.admission-controller.roleName" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kyverno.admission-controller.serviceAccountName" . }}
+    namespace: {{ template "kyverno.namespace" . }}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/deployment.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/deployment.yaml
new file mode 100644
index 000000000..1379b79e5
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/deployment.yaml
@@ -0,0 +1,221 @@
+{{- if not .Values.templating.debug -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "kyverno.admission-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+spec:
+  replicas: {{ template "kyverno.deployment.replicas" .Values.admissionController.replicas }}
+  {{- with .Values.admissionController.updateStrategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "kyverno.admission-controller.labels" . | nindent 8 }}
+        {{- with .Values.admissionController.podLabels }}
+        {{- tpl (toYaml .) $ | nindent 8 }}
+        {{- end }}
+      {{- with .Values.admissionController.podAnnotations }}
+      annotations: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- with .Values.admissionController.container.imagePullSecrets }}
+      imagePullSecrets:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.admissionController.podSecurityContext }}
+      securityContext:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.admissionController.nodeSelector }}
+      nodeSelector:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.admissionController.tolerations }}
+      tolerations:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.admissionController.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.admissionController.priorityClassName }}
+      priorityClassName: {{ . | quote }}
+      {{- end }}
+      {{- with .Values.admissionController.hostNetwork }}
+      hostNetwork: {{ . }}
+      {{- end }}
+      {{- with .Values.admissionController.dnsPolicy }}
+      dnsPolicy: {{ . }}
+      {{- end }}
+      {{- if or .Values.admissionController.antiAffinity.enable .Values.admissionController.podAffinity .Values.admissionController.nodeAffinity }}
+      affinity:
+        {{- if .Values.admissionController.antiAffinity.enabled }}
+        {{- with .Values.admissionController.podAntiAffinity }}
+        podAntiAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- end }}
+        {{- with .Values.admissionController.podAffinity }}
+        podAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.admissionController.nodeAffinity }}
+        nodeAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+      {{- end }}
+      serviceAccountName: {{ template "kyverno.admission-controller.serviceAccountName" . }}
+      initContainers:
+        {{- with .Values.admissionController.extraInitContainers }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        - name: kyverno-pre
+          image: {{ include "kyverno.image" (dict "image" .Values.admissionController.initContainer.image "defaultTag" (default .Chart.AppVersion .Values.admissionController.container.image.tag)) | quote }}
+          imagePullPolicy: {{ default .Values.admissionController.container.image.pullPolicy .Values.admissionController.initContainer.image.pullPolicy }}
+          args:
+            {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.admissionController.featuresOverride)
+              "logging"
+            ) | nindent 12 }}
+            {{- range $key, $value := .Values.admissionController.initContainer.extraArgs }}
+            {{- if $value }}
+            - --{{ $key }}={{ $value }}
+            {{- end }}
+            {{- end }}
+          {{- with .Values.admissionController.initContainer.resources }}
+          resources:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .Values.admissionController.initContainer.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          env:
+          - name: METRICS_CONFIG
+            value: {{ template "kyverno.config.metricsConfigMapName" . }}
+          - name: KYVERNO_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: KYVERNO_POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: KYVERNO_DEPLOYMENT
+            value: {{ template "kyverno.fullname" . }}
+          {{- with .Values.admissionController.initContainer.extraEnvVars }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+      containers:
+        {{- with .Values.admissionController.extraContainers }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        - name: kyverno
+          image: {{ include "kyverno.image" (dict "image" .Values.admissionController.container.image "defaultTag" .Chart.AppVersion) | quote }}
+          imagePullPolicy: {{ .Values.admissionController.container.image.pullPolicy }}
+          args:
+            - --backgroundServiceAccountName=system:serviceaccount:{{ include "kyverno.namespace" . }}:{{ include "kyverno.background-controller.serviceAccountName" . }}
+            - --servicePort={{ .Values.admissionController.service.port }}
+            {{- if .Values.admissionController.tracing.enabled }}
+            - --enableTracing
+            - --tracingAddress={{ .Values.admissionController.tracing.address }}
+            - --tracingPort={{ .Values.admissionController.tracing.port }}
+            {{- with .Values.admissionController.tracing.creds }}
+            - --tracingCreds={{ . }}
+            {{- end }}
+            {{- end }}
+            - --disableMetrics={{ .Values.admissionController.metering.disabled }}
+            {{- if not .Values.admissionController.metering.disabled }}
+            - --otelConfig={{ .Values.admissionController.metering.config }}
+            - --metricsPort={{ .Values.admissionController.metering.port }}
+            {{- with .Values.admissionController.metering.collector }}
+            - --otelCollector={{ . }}
+            {{- end }}
+            {{- with .Values.admissionController.metering.creds }}
+            - --transportCreds={{ . }}
+            {{- end }}
+            {{- end }}
+            {{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }}
+            - --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }}
+            {{- end }}
+            {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.admissionController.featuresOverride)
+              "admissionReports"
+              "autoUpdateWebhooks"
+              "configMapCaching"
+              "dumpPayload"
+              "forceFailurePolicyIgnore"
+              "logging"
+              "omitEvents"
+              "policyExceptions"
+              "protectManagedResources"
+              "registryClient"
+            ) | nindent 12 }}
+            {{- range $key, $value := .Values.admissionController.container.extraArgs }}
+            {{- if $value }}
+            - --{{ $key }}={{ $value }}
+            {{- end }}
+            {{- end }}
+          {{- with .Values.admissionController.container.resources }}
+          resources: {{ tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .Values.admissionController.container.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          ports:
+          - containerPort: 9443
+            name: https
+            protocol: TCP
+          - containerPort: 8000
+            name: metrics-port
+            protocol: TCP
+          env:
+          - name: INIT_CONFIG
+            value: {{ template "kyverno.config.configMapName" . }}
+          - name: METRICS_CONFIG
+            value: {{ template "kyverno.config.metricsConfigMapName" . }}
+          - name: KYVERNO_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: KYVERNO_POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: KYVERNO_SERVICEACCOUNT_NAME
+            value: {{ template "kyverno.admission-controller.serviceAccountName" . }}
+          - name: KYVERNO_SVC
+            value: {{ template "kyverno.admission-controller.serviceName" . }}
+          - name: TUF_ROOT
+            value: {{ .Values.admissionController.tufRootMountPath }}
+          {{- with .Values.admissionController.container.extraEnvVars }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          - name: KYVERNO_DEPLOYMENT
+            value: {{ template "kyverno.admission-controller.name" . }}
+          {{- with .Values.admissionController.startupProbe }}
+          startupProbe:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .Values.admissionController.livenessProbe }}
+          livenessProbe:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .Values.admissionController.readinessProbe }}
+          readinessProbe:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - mountPath: {{ .Values.admissionController.tufRootMountPath }}
+              name: sigstore
+      volumes:
+      - name: sigstore
+        {{- toYaml (required "A valid .Values.admissionController.sigstoreVolume entry is required" .Values.admissionController.sigstoreVolume) | nindent 8 }}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/networkpolicy.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/networkpolicy.yaml
new file mode 100644
index 000000000..67219e19f
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/networkpolicy.yaml
@@ -0,0 +1,31 @@
+{{- if .Values.admissionController.networkPolicy.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "kyverno.admission-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+  {{- if .Values.admissionController.networkPolicy.ingressFrom }}
+  ingress:
+    - from:
+        {{- toYaml .Values.admissionController.networkPolicy.ingressFrom | nindent 8 }}
+      ports:
+        - protocol: TCP
+          port: 9443 # webhook access
+        # Allow prometheus scrapes for metrics
+        {{- if .Values.admissionController.metricsService.create }}
+        - protocol: TCP
+          port: {{ .Values.admissionController.metricsService.port }}
+        {{- end }}
+  {{- else }}
+  ingress:
+    - {}
+  {{- end }}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/poddisruptionbudget.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/poddisruptionbudget.yaml
new file mode 100644
index 000000000..c9ef079da
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/poddisruptionbudget.yaml
@@ -0,0 +1,14 @@
+{{- if (gt (int .Values.admissionController.replicas) 1) -}}
+apiVersion: {{ template "kyverno.pdb.apiVersion" . }}
+kind: PodDisruptionBudget
+metadata:
+  name: {{ template "kyverno.admission-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+spec:
+  {{- include "kyverno.pdb.spec" .Values.admissionController.podDisruptionBudget | nindent 2 }}
+  selector:
+    matchLabels:
+      {{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/role.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/role.yaml
new file mode 100644
index 000000000..5a0693d63
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/role.yaml
@@ -0,0 +1,57 @@
+{{- if .Values.admissionController.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "kyverno.admission-controller.roleName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+    resourceNames:
+      - {{ include "kyverno.config.configMapName" . }}
+      - {{ include "kyverno.config.metricsConfigMapName" . }}
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+      - delete
+      - get
+      - patch
+      - update
+  # Allow update of Kyverno deployment annotations
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      {{- if .Values.webhooksCleanup.enabled }}
+      - deployments/scale
+      {{- end }}
+    verbs:
+      - get
+      - list
+      - watch
+      {{- if .Values.webhooksCleanup.enabled }}
+      - patch
+      - update
+      {{- end }}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/rolebinding.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/rolebinding.yaml
new file mode 100644
index 000000000..b2045b17b
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/rolebinding.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.admissionController.rbac.create -}}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.admission-controller.roleName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "kyverno.admission-controller.roleName" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kyverno.admission-controller.serviceAccountName" . }}
+    namespace: {{ template "kyverno.namespace" . }}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/secret.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/secret.yaml
similarity index 51%
rename from scripts/helmcharts/toolings/charts/kyverno/templates/secret.yaml
rename to scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/secret.yaml
index 4a6cc475f..1c6b7182a 100644
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/secret.yaml
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/secret.yaml
@@ -1,14 +1,14 @@
-{{- if .Values.createSelfSignedCert }}
+{{- if .Values.admissionController.createSelfSignedCert -}}
 {{- $ca := genCA (printf "*.%s.svc" (include "kyverno.namespace" .)) 1024 -}}
-{{- $svcName := (printf "%s.%s.svc" (include "kyverno.serviceName" .) (include "kyverno.namespace" .)) -}}
+{{- $svcName := (printf "%s.%s.svc" (include "kyverno.admission-controller.serviceName" .) (include "kyverno.namespace" .)) -}}
 {{- $cert := genSignedCert $svcName nil (list $svcName) 1024 $ca -}}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
+  name: {{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
   namespace: {{ template "kyverno.namespace" . }}
   labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
 type: kubernetes.io/tls
 data:
   tls.key: {{ $ca.Key | b64enc }}
@@ -17,10 +17,10 @@ data:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
+  name: {{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
   namespace: {{ template "kyverno.namespace" . }}
   labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
   annotations:
     self-signed-cert: "true"
 type: kubernetes.io/tls
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/service.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/service.yaml
new file mode 100644
index 000000000..8e900205f
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/service.yaml
@@ -0,0 +1,47 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyverno.admission-controller.serviceName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+  {{- with .Values.admissionController.service.annotations }}
+  annotations: {{ tpl (toYaml .) $ | nindent 4 }}
+  {{- end }}
+spec:
+  ports:
+  - port: {{ .Values.admissionController.service.port }}
+    targetPort: https
+    protocol: TCP
+    name: https
+    {{- if and (eq .Values.admissionController.service.type "NodePort") (not (empty .Values.admissionController.service.nodePort)) }}
+    nodePort: {{ .Values.admissionController.service.nodePort }}
+    {{- end }}
+  selector:
+    {{- include "kyverno.admission-controller.matchLabels" . | nindent 4 }}
+  type: {{ .Values.admissionController.service.type }}
+---
+{{- if .Values.admissionController.metricsService.create }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyverno.admission-controller.serviceName" . }}-metrics
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+  {{- with .Values.admissionController.metricsService.annotations }}
+  annotations: {{ tpl (toYaml .) $ | nindent 4 }}
+  {{- end }}
+spec:
+  ports:
+  - port: {{ .Values.admissionController.metricsService.port }}
+    targetPort: 8000
+    protocol: TCP
+    name: metrics-port
+    {{- if and (eq .Values.admissionController.metricsService.type "NodePort") (not (empty .Values.admissionController.metricsService.nodePort)) }}
+    nodePort: {{ .Values.admissionController.metricsService.nodePort }}
+    {{- end }}
+  selector:
+    {{- include "kyverno.admission-controller.matchLabels" . | nindent 4 }}
+  type: {{ .Values.admissionController.metricsService.type }}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/serviceaccount.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/serviceaccount.yaml
new file mode 100644
index 000000000..e78f6bff4
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/serviceaccount.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.admissionController.rbac.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "kyverno.admission-controller.serviceAccountName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+  {{- with .Values.admissionController.rbac.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/servicemonitor.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/servicemonitor.yaml
new file mode 100644
index 000000000..f695d756b
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/servicemonitor.yaml
@@ -0,0 +1,32 @@
+{{- if .Values.admissionController.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "kyverno.admission-controller.name" . }}
+  {{- if .Values.admissionController.serviceMonitor.namespace }}
+  namespace: {{ .Values.admissionController.serviceMonitor.namespace }}
+  {{- else }}
+  namespace: {{ template "kyverno.namespace" . }}
+  {{- end }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+    {{- with .Values.admissionController.serviceMonitor.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }}
+  namespaceSelector:
+    matchNames:
+    - {{ template "kyverno.namespace" . }}
+  endpoints:
+  - port: metrics-port
+    interval: {{ .Values.admissionController.serviceMonitor.interval }}
+    scrapeTimeout: {{ .Values.admissionController.serviceMonitor.scrapeTimeout }}
+    {{- if .Values.admissionController.serviceMonitor.secure }}
+    scheme: https
+    tlsConfig:
+      {{- toYaml .Values.admissionController.serviceMonitor.tlsConfig | nindent 8 }}
+    {{- end }}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/aggregateroles.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/aggregateroles.yaml
deleted file mode 100644
index 99896fe4a..000000000
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/aggregateroles.yaml
+++ /dev/null
@@ -1,111 +0,0 @@
-{{- if .Values.rbac.create }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.fullname" . }}:admin-policies
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    {{- include "kyverno.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-  - kyverno.io
-  resources:
-  - policies
-  - clusterpolicies
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.fullname" . }}:admin-policyreport
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    {{- include "kyverno.labels" . | nindent 4 }}
-rules:
-  - apiGroups:
-      - wgpolicyk8s.io
-    resources:
-      - policyreports
-      - clusterpolicyreports
-    verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - update
-      - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.fullname" . }}:admin-reports
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    {{- include "kyverno.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-    - kyverno.io
-  resources:
-    - admissionreports
-    - clusteradmissionreports
-    - backgroundscanreports
-    - clusterbackgroundscanreports
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.fullname" . }}:admin-generaterequest
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    {{- include "kyverno.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-  - kyverno.io
-  resources:
-  - generaterequests
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.fullname" . }}:admin-updaterequest
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    {{- include "kyverno.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-  - kyverno.io
-  resources:
-  - updaterequests
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
-{{- end }}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/_helpers.tpl b/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/_helpers.tpl
new file mode 100644
index 000000000..fe34496c6
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/_helpers.tpl
@@ -0,0 +1,39 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.background-controller.name" -}}
+{{ template "kyverno.name" . }}-background-controller
+{{- end -}}
+
+{{- define "kyverno.background-controller.labels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.common" .)
+  (include "kyverno.background-controller.matchLabels" .)
+) -}}
+{{- end -}}
+
+{{- define "kyverno.background-controller.matchLabels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.matchLabels.common" .)
+  (include "kyverno.labels.component" "background-controller")
+) -}}
+{{- end -}}
+
+{{- define "kyverno.background-controller.image" -}}
+{{- if .image.registry -}}
+  {{ .image.registry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
+{{- else -}}
+  {{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.background-controller.roleName" -}}
+{{ include "kyverno.fullname" . }}:background-controller
+{{- end -}}
+
+{{- define "kyverno.background-controller.serviceAccountName" -}}
+{{- if .Values.backgroundController.rbac.create -}}
+    {{ default (include "kyverno.background-controller.name" .) .Values.backgroundController.rbac.serviceAccount.name }}
+{{- else -}}
+    {{ required "A service account name is required when `rbac.create` is set to `false`" .Values.backgroundController.rbac.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/clusterrole.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/clusterrole.yaml
new file mode 100644
index 000000000..cfe9451d3
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/clusterrole.yaml
@@ -0,0 +1,109 @@
+{{- if .Values.backgroundController.enabled -}}
+{{- if .Values.backgroundController.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.background-controller.roleName" . }}
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+aggregationRule:
+  clusterRoleSelectors:
+    - matchLabels:
+        {{- include "kyverno.background-controller.matchLabels" . | nindent 8 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.background-controller.roleName" . }}:core
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - '*'
+    resources:
+      - '*'
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - updaterequests
+      - updaterequests/status
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - deletecollection
+  - apiGroups:
+      - ''
+      - events.k8s.io
+    resources:
+      - events
+    verbs:
+      - create
+      - update
+      - patch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+      - ingressclasses
+      - networkpolicies
+    verbs:
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - secrets
+      - resourcequotas
+      - limitranges
+    verbs:
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - rolebindings
+      - roles
+    verbs:
+      - create
+      - update
+      - patch
+      - delete
+{{- with .Values.backgroundController.rbac.clusterRole.extraResources }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.background-controller.roleName" $ }}:additional
+  labels:
+    {{- include "kyverno.background-controller.labels" $ | nindent 4 }}
+rules:
+  {{- range . }}
+  - apiGroups:
+      {{- toYaml .apiGroups | nindent 6 }}
+    resources:
+      {{- toYaml .resources | nindent 6 }}
+    verbs:
+    - create
+    - update
+    - patch
+    - delete
+    - get
+    - list
+  {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/clusterrolebinding.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/clusterrolebinding.yaml
new file mode 100644
index 000000000..7dcbfffe6
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/clusterrolebinding.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.backgroundController.enabled -}}
+{{- if .Values.backgroundController.rbac.create -}}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.background-controller.roleName" . }}
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "kyverno.background-controller.roleName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "kyverno.background-controller.serviceAccountName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+{{- end -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/deployment.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/deployment.yaml
new file mode 100644
index 000000000..4061a90d6
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/deployment.yaml
@@ -0,0 +1,142 @@
+{{- if .Values.backgroundController.enabled -}}
+{{- if not .Values.templating.debug -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "kyverno.background-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+spec:
+  replicas: {{ template "kyverno.deployment.replicas" .Values.backgroundController.replicas }}
+  {{- with .Values.backgroundController.updateStrategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "kyverno.background-controller.matchLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "kyverno.background-controller.labels" . | nindent 8 }}
+        {{- with .Values.backgroundController.podLabels }}
+        {{- tpl (toYaml .) $ | nindent 8 }}
+        {{- end }}
+      {{- with .Values.backgroundController.podAnnotations }}
+      annotations: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- with .Values.backgroundController.imagePullSecrets }}
+      imagePullSecrets: 
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.backgroundController.podSecurityContext }}
+      securityContext:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.backgroundController.nodeSelector }}
+      nodeSelector:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.backgroundController.tolerations }}
+      tolerations:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.backgroundController.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.backgroundController.priorityClassName }}
+      priorityClassName: {{ . | quote }}
+      {{- end }}
+      {{- with .Values.backgroundController.hostNetwork }}
+      hostNetwork: {{ . }}
+      {{- end }}
+      {{- with .Values.backgroundController.dnsPolicy }}
+      dnsPolicy: {{ . }}
+      {{- end }}
+      {{- if or .Values.backgroundController.antiAffinity.enabled .Values.backgroundController.podAffinity .Values.backgroundController.nodeAffinity }}
+      affinity:
+        {{- if .Values.backgroundController.antiAffinity.enabled }}
+        {{- with .Values.backgroundController.podAntiAffinity }}
+        podAntiAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- end }}
+        {{- with .Values.backgroundController.podAffinity }}
+        podAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.backgroundController.nodeAffinity }}
+        nodeAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+      {{- end }}
+      serviceAccountName: {{ template "kyverno.background-controller.serviceAccountName" . }}
+      containers:
+        - name: controller
+          image: {{ include "kyverno.background-controller.image" (dict "image" .Values.backgroundController.image "defaultTag" .Chart.AppVersion) | quote }}
+          ports:
+          - containerPort: 9443
+            name: https
+            protocol: TCP
+          - containerPort: 8000
+            name: metrics
+            protocol: TCP
+          args:
+            {{- if .Values.backgroundController.tracing.enabled }}
+            - --enableTracing
+            - --tracingAddress={{ .Values.backgroundController.tracing.address }}
+            - --tracingPort={{ .Values.backgroundController.tracing.port }}
+            {{- with .Values.backgroundController.tracing.creds }}
+            - --tracingCreds={{ . }}
+            {{- end }}
+            {{- end }}
+            - --disableMetrics={{ .Values.backgroundController.metering.disabled }}
+            {{- if not .Values.backgroundController.metering.disabled }}
+            - --otelConfig={{ .Values.backgroundController.metering.config }}
+            - --metricsPort={{ .Values.backgroundController.metering.port }}
+            {{- with .Values.backgroundController.metering.collector }}
+            - --otelCollector={{ . }}
+            {{- end }}
+            {{- with .Values.backgroundController.metering.creds }}
+            - --transportCreds={{ . }}
+            {{- end }}
+            {{- end }}
+            {{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }}
+            - --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }}
+            {{- end }}
+            {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.backgroundController.featuresOverride)
+              "configMapCaching"
+              "logging"
+              "omitEvents"
+              "policyExceptions"
+            ) | nindent 12 }}
+            {{- range $key, $value := .Values.backgroundController.extraArgs }}
+            {{- if $value }}
+            - --{{ $key }}={{ $value }}
+            {{- end }}
+            {{- end }}
+          env:
+          - name: INIT_CONFIG
+            value: {{ template "kyverno.config.configMapName" . }}
+          - name: METRICS_CONFIG
+            value: {{ template "kyverno.config.metricsConfigMapName" . }}
+          - name: KYVERNO_POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: KYVERNO_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          {{- with .Values.backgroundController.resources }}
+          resources: {{ tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .Values.backgroundController.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/networkpolicy.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/networkpolicy.yaml
new file mode 100644
index 000000000..660bbfd49
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/networkpolicy.yaml
@@ -0,0 +1,30 @@
+{{- if .Values.backgroundController.enabled -}}
+{{- if .Values.backgroundController.networkPolicy.enabled -}}
+{{- if .Values.backgroundController.metricsService.create -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "kyverno.background-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "kyverno.background-controller.matchLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+  {{- if .Values.backgroundController.networkPolicy.ingressFrom }}
+  ingress:
+    - from:
+        {{- toYaml .Values.backgroundController.networkPolicy.ingressFrom | nindent 8 }}
+      ports:
+        - protocol: TCP
+          port: {{ .Values.backgroundController.metricsService.port }}
+  {{- else }}
+  ingress:
+    - {}
+  {{- end }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/poddisruptionbudget.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/poddisruptionbudget.yaml
new file mode 100644
index 000000000..7808aed3f
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/poddisruptionbudget.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.backgroundController.enabled -}}
+{{- if (gt (int .Values.backgroundController.replicas) 1) -}}
+apiVersion: {{ template "kyverno.pdb.apiVersion" . }}
+kind: PodDisruptionBudget
+metadata:
+  name: {{ template "kyverno.background-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+spec:
+  {{- include "kyverno.pdb.spec" .Values.backgroundController.podDisruptionBudget | nindent 2 }}
+  selector:
+    matchLabels:
+      {{- include "kyverno.background-controller.matchLabels" . | nindent 6 }}
+{{- end -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/role.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/role.yaml
new file mode 100644
index 000000000..9f8a88716
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/role.yaml
@@ -0,0 +1,33 @@
+{{- if .Values.backgroundController.enabled -}}
+{{- if .Values.backgroundController.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "kyverno.background-controller.roleName" . }}
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+  namespace: {{ template "kyverno.namespace" . }}
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+    resourceNames:
+      - {{ include "kyverno.config.configMapName" . }}
+      - {{ include "kyverno.config.metricsConfigMapName" . }}
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+      - delete
+      - get
+      - patch
+      - update
+{{- end -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/rolebinding.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/rolebinding.yaml
new file mode 100644
index 000000000..1eef40c70
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/rolebinding.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.backgroundController.enabled -}}
+{{- if .Values.backgroundController.rbac.create -}}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.background-controller.roleName" . }}
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+  namespace: {{ template "kyverno.namespace" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "kyverno.background-controller.roleName" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kyverno.background-controller.serviceAccountName" . }}
+    namespace: {{ template "kyverno.namespace" . }}
+{{- end -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/service.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/service.yaml
new file mode 100644
index 000000000..ad84fdfd3
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/service.yaml
@@ -0,0 +1,27 @@
+{{- if .Values.backgroundController.enabled -}}
+{{- if .Values.backgroundController.metricsService.create -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyverno.background-controller.name" . }}-metrics
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+  {{- with .Values.backgroundController.metricsService.annotations }}
+  annotations:
+    {{- tpl (toYaml .) $ | nindent 4 }}
+  {{- end }}
+spec:
+  ports:
+  - port: {{ .Values.backgroundController.metricsService.port }}
+    targetPort: 8000
+    protocol: TCP
+    name: metrics-port
+    {{- if and (eq .Values.backgroundController.metricsService.type "NodePort") (not (empty .Values.backgroundController.metricsService.nodePort)) }}
+    nodePort: {{ .Values.backgroundController.metricsService.nodePort }}
+    {{- end }}
+  selector:
+    {{- include "kyverno.background-controller.matchLabels" . | nindent 4 }}
+  type: {{ .Values.backgroundController.metricsService.type }}
+{{- end -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/serviceaccount.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/serviceaccount.yaml
new file mode 100644
index 000000000..b291b7e9a
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/serviceaccount.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.backgroundController.enabled -}}
+{{- if .Values.backgroundController.rbac.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "kyverno.background-controller.serviceAccountName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+  {{- with .Values.backgroundController.rbac.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/servicemonitor.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/servicemonitor.yaml
new file mode 100644
index 000000000..e8f05bad1
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/servicemonitor.yaml
@@ -0,0 +1,34 @@
+{{- if .Values.backgroundController.enabled -}}
+{{- if .Values.backgroundController.serviceMonitor.enabled -}}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "kyverno.background-controller.name" . }}
+  {{- if .Values.backgroundController.serviceMonitor.namespace }}
+  namespace: {{ .Values.backgroundController.serviceMonitor.namespace }}
+  {{- else }}
+  namespace: {{ template "kyverno.namespace" . }}
+  {{- end }}
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+    {{- with .Values.backgroundController.serviceMonitor.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "kyverno.background-controller.matchLabels" . | nindent 6 }}
+  namespaceSelector:
+    matchNames:
+    - {{ template "kyverno.namespace" . }}
+  endpoints:
+  - port: metrics-port
+    interval: {{ .Values.backgroundController.serviceMonitor.interval }}
+    scrapeTimeout: {{ .Values.backgroundController.serviceMonitor.scrapeTimeout }}
+    {{- if .Values.backgroundController.serviceMonitor.secure }}
+    scheme: https
+    tlsConfig:
+      {{- toYaml .Values.backgroundController.serviceMonitor.tlsConfig | nindent 8 }}
+    {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/_helpers.tpl b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/_helpers.tpl
index 4bad77b03..c97ccdd31 100644
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/_helpers.tpl
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/_helpers.tpl
@@ -5,22 +5,17 @@
 {{- end -}}
 
 {{- define "kyverno.cleanup-controller.labels" -}}
-app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
-{{- with (include "kyverno.helmLabels" .) }}
-{{ . }}
-{{- end }}
-{{- with (include "kyverno.versionLabels" .) }}
-{{ . }}
-{{- end }}
-{{- with (include "kyverno.cleanup-controller.matchLabels" .) }}
-{{ . }}
-{{- end }}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.common" .)
+  (include "kyverno.cleanup-controller.matchLabels" .)
+) -}}
 {{- end -}}
 
 {{- define "kyverno.cleanup-controller.matchLabels" -}}
-app.kubernetes.io/component: cleanup-controller
-app.kubernetes.io/name: {{ template "kyverno.cleanup-controller.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.matchLabels.common" .)
+  (include "kyverno.labels.component" "cleanup-controller")
+) -}}
 {{- end -}}
 
 {{- define "kyverno.cleanup-controller.image" -}}
@@ -32,10 +27,9 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{- define "kyverno.cleanup-controller.roleName" -}}
-{{ .Release.Name }}:cleanup-controller
+{{ include "kyverno.fullname" . }}:cleanup-controller
 {{- end -}}
 
-{{/* Create the name of the service account to use */}}
 {{- define "kyverno.cleanup-controller.serviceAccountName" -}}
 {{- if .Values.cleanupController.rbac.create -}}
     {{ default (include "kyverno.cleanup-controller.name" .) .Values.cleanupController.rbac.serviceAccount.name }}
@@ -43,25 +37,3 @@ app.kubernetes.io/instance: {{ .Release.Name }}
     {{ required "A service account name is required when `rbac.create` is set to `false`" .Values.cleanupController.rbac.serviceAccount.name }}
 {{- end -}}
 {{- end -}}
-
-{{- define "kyverno.cleanup-controller.securityContext" -}}
-{{- if semverCompare "<1.19" .Capabilities.KubeVersion.Version }}
-{{ toYaml (omit .Values.cleanupController.securityContext "seccompProfile") }}
-{{- else }}
-{{ toYaml .Values.cleanupController.securityContext }}
-{{- end }}
-{{- end }}
-
-{{/* Create the default PodDisruptionBudget to use */}}
-{{- define "kyverno.cleanup-controller.podDisruptionBudget.spec" -}}
-{{- if and .Values.cleanupController.podDisruptionBudget.minAvailable .Values.cleanupController.podDisruptionBudget.maxUnavailable }}
-{{- fail "Cannot set both .Values.cleanupController.podDisruptionBudget.minAvailable and .Values.cleanupController.podDisruptionBudget.maxUnavailable" -}}
-{{- end }}
-{{- if not .Values.cleanupController.podDisruptionBudget.maxUnavailable }}
-minAvailable: {{ default 1 .Values.cleanupController.podDisruptionBudget.minAvailable }}
-{{- end }}
-{{- if .Values.cleanupController.podDisruptionBudget.maxUnavailable }}
-maxUnavailable: {{ .Values.cleanupController.podDisruptionBudget.maxUnavailable }}
-{{- end }}
-{{- end }}
-
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/clusterrole.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/clusterrole.yaml
index 115a69012..d980e3d39 100644
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/clusterrole.yaml
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/clusterrole.yaml
@@ -65,12 +65,20 @@ rules:
       - update
       - watch
   - apiGroups:
-    - ""
+    - ''
+    - events.k8s.io
     resources:
     - events
     verbs:
     - create
     - patch
+    - update
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - subjectaccessreviews
+    verbs:
+      - create
 {{- with .Values.cleanupController.rbac.clusterRole.extraResources }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/deployment.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/deployment.yaml
index fb0d2bea4..2d0b13495 100644
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/deployment.yaml
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/deployment.yaml
@@ -4,13 +4,11 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ template "kyverno.cleanup-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
   labels:
     {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
-  namespace: {{ template "kyverno.namespace" . }}
 spec:
-  {{- with .Values.cleanupController.replicas }}
-  replicas: {{ . }}
-  {{- end }}
+  replicas: {{ template "kyverno.deployment.replicas" .Values.cleanupController.replicas }}
   {{- with .Values.cleanupController.updateStrategy }}
   strategy:
     {{- toYaml . | nindent 4 }}
@@ -22,8 +20,14 @@ spec:
     metadata:
       labels:
         {{- include "kyverno.cleanup-controller.labels" . | nindent 8 }}
+        {{- with .Values.cleanupController.podLabels }}
+        {{- tpl (toYaml .) $ | nindent 8 }}
+        {{- end }}
+      {{- with .Values.cleanupController.podAnnotations }}
+      annotations: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
     spec:
-      {{- with .Values.cleanupController.image.pullSecrets }}
+      {{- with .Values.cleanupController.imagePullSecrets }}
       imagePullSecrets: 
         {{- tpl (toYaml .) $ | nindent 8 }}
       {{- end }}
@@ -81,7 +85,7 @@ spec:
             name: metrics
             protocol: TCP
           args:
-            - --loggingFormat={{ .Values.cleanupController.logging.format }}
+            - --servicePort={{ .Values.cleanupController.service.port }}
             {{- if .Values.cleanupController.tracing.enabled }}
             - --enableTracing
             - --tracingAddress={{ .Values.cleanupController.tracing.address }}
@@ -101,16 +105,26 @@ spec:
             - --transportCreds={{ . }}
             {{- end }}
             {{- end }}
-            {{- range .Values.cleanupController.extraArgs }}
-            - {{ . }}
+            {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.cleanupController.featuresOverride)
+              "dumpPayload"
+              "logging"
+            ) | nindent 12 }}
+            {{- range $key, $value := .Values.cleanupController.extraArgs }}
+            {{- if $value }}
+            - --{{ $key }}={{ $value }}
+            {{- end }}
             {{- end }}
           env:
+          - name: INIT_CONFIG
+            value: {{ template "kyverno.config.configMapName" . }}
           - name: METRICS_CONFIG
-            value: {{ template "kyverno.metricsConfigMapName" . }}
+            value: {{ template "kyverno.config.metricsConfigMapName" . }}
           - name: KYVERNO_POD_NAME
             valueFrom:
               fieldRef:
                 fieldPath: metadata.name
+          - name: KYVERNO_SERVICEACCOUNT_NAME
+            value: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
           - name: KYVERNO_NAMESPACE
             valueFrom:
               fieldRef:
@@ -120,8 +134,9 @@ spec:
           {{- with .Values.cleanupController.resources }}
           resources: {{ tpl (toYaml .) $ | nindent 12 }}
           {{- end }}
-          {{- if .Values.cleanupController.securityContext }}
-          securityContext: {{ include "kyverno.cleanup-controller.securityContext" . | nindent 12 }}
+          {{- with .Values.cleanupController.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
           {{- end }}
           {{- with .Values.cleanupController.startupProbe }}
           startupProbe:
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/networkpolicy.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/networkpolicy.yaml
new file mode 100644
index 000000000..e9e8da352
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/networkpolicy.yaml
@@ -0,0 +1,33 @@
+{{- if .Values.cleanupController.enabled -}}
+{{- if .Values.cleanupController.networkPolicy.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "kyverno.cleanup-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+  {{- if .Values.cleanupController.networkPolicy.ingressFrom }}
+  ingress:
+    - from:
+        {{- toYaml .Values.cleanupController.networkPolicy.ingressFrom | nindent 8 }}
+      ports:
+        - protocol: TCP
+          port: 9443 # webhook access
+        # Allow prometheus scrapes for metrics
+        {{- if .Values.cleanupController.metricsService.create }}
+        - protocol: TCP
+          port: {{ .Values.cleanupController.metricsService.port }}
+        {{- end }}
+  {{- else }}
+  ingress:
+    - {}
+  {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/poddisruptionbudget.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/poddisruptionbudget.yaml
index 30b942c4e..4cf02be13 100644
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/poddisruptionbudget.yaml
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/poddisruptionbudget.yaml
@@ -1,18 +1,14 @@
 {{- if .Values.cleanupController.enabled -}}
 {{- if (gt (int .Values.cleanupController.replicas) 1) -}}
-{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}}
-apiVersion: policy/v1
-{{- else -}}
-apiVersion: policy/v1beta1
-{{- end }}
+apiVersion: {{ template "kyverno.pdb.apiVersion" . }}
 kind: PodDisruptionBudget
 metadata:
   name: {{ template "kyverno.cleanup-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
   labels:
     {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
-  namespace: {{ template "kyverno.namespace" . }}
 spec:
-  {{- include "kyverno.cleanup-controller.podDisruptionBudget.spec" . | indent 2 }}
+  {{- include "kyverno.pdb.spec" .Values.cleanupController.podDisruptionBudget | nindent 2 }}
   selector:
     matchLabels:
       {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 6 }}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/role.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/role.yaml
index 4a90cbc4f..d902dd0e3 100644
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/role.yaml
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/role.yaml
@@ -8,33 +8,36 @@ metadata:
     {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
   namespace: {{ template "kyverno.namespace" . }}
 rules:
-- apiGroups:
-    - ''
-  resources:
-    - secrets
-  verbs:
-    - get
-    - list
-    - watch
-    - create
-    - update
-- apiGroups:
-    - ''
-  resources:
-    - configmaps
-  verbs:
-    - get
-    - list
-    - watch
-- apiGroups:
-    - coordination.k8s.io
-  resources:
-    - leases
-  verbs:
-    - create
-    - delete
-    - get
-    - patch
-    - update
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+    resourceNames:
+      - {{ include "kyverno.config.configMapName" . }}
+      - {{ include "kyverno.config.metricsConfigMapName" . }}
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+      - delete
+      - get
+      - patch
+      - update
 {{- end -}}
 {{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/rolebinding.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/rolebinding.yaml
index d09739713..2096f1623 100644
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/rolebinding.yaml
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/rolebinding.yaml
@@ -12,8 +12,8 @@ roleRef:
   kind: Role
   name: {{ template "kyverno.cleanup-controller.roleName" . }}
 subjects:
-- kind: ServiceAccount
-  name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
-  namespace: {{ template "kyverno.namespace" . }}
+  - kind: ServiceAccount
+    name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
+    namespace: {{ template "kyverno.namespace" . }}
 {{- end -}}
 {{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml
index 471b4219e..a20a18644 100644
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml
@@ -4,8 +4,12 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
   labels:
     {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
-  namespace: {{ template "kyverno.namespace" . }}
+  {{- with .Values.cleanupController.rbac.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 {{- end -}}
 {{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/servicemonitor.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/servicemonitor.yaml
index 07f6ee55a..6d1d7ad74 100644
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/servicemonitor.yaml
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/servicemonitor.yaml
@@ -12,7 +12,7 @@ metadata:
   labels:
     {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
     {{- with .Values.cleanupController.serviceMonitor.additionalLabels }}
-    {{- toYaml .Values.cleanupController.serviceMonitor.additionalLabels | nindent 4 }}
+    {{- toYaml . | nindent 4 }}
     {{- end }}
 spec:
   selector:
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup/cleanup-admission-reports.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup/cleanup-admission-reports.yaml
new file mode 100644
index 000000000..bce2bc5a7
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup/cleanup-admission-reports.yaml
@@ -0,0 +1,43 @@
+{{- if .Values.cleanupJobs.admissionReports.enabled -}}
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ template "kyverno.name" . }}-cleanup-admission-reports
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.labels.merge" (list (include "kyverno.labels.common" .) (include "kyverno.matchLabels.common" .)) | nindent 4 }}
+spec:
+  schedule: {{ .Values.cleanupJobs.admissionReports.schedule | quote }}
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: {{ .Values.cleanupJobs.admissionReports.history.success }}
+  failedJobsHistoryLimit: {{ .Values.cleanupJobs.admissionReports.history.failure }}
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          serviceAccountName: {{ template "kyverno.name" . }}-cleanup-jobs
+          {{- with .Values.cleanupJobs.admissionReports.podSecurityContext }}
+          securityContext:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          containers:
+          - name: cleanup
+            image: {{ template "kyverno.image" .Values.cleanupJobs.admissionReports }}
+            imagePullPolicy: {{ .Values.cleanupJobs.admissionReports.image.pullPolicy }}
+            command:
+            - /bin/sh
+            - -c
+            - |
+              COUNT=$(kubectl get admissionreports.kyverno.io -A | wc -l)
+              if [ "$COUNT" -gt {{ .Values.cleanupJobs.admissionReports.threshold }} ]; then
+                echo "too many reports found ($COUNT), cleaning up..."
+                kubectl delete admissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
+              else
+                echo "($COUNT) reports found, no clean up needed"
+              fi
+            {{- with .Values.cleanupJobs.admissionReports.securityContext }}
+            securityContext:
+              {{- toYaml . | nindent 14 }}
+            {{- end }}
+          restartPolicy: OnFailure
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup/cleanup-cluster-admission-reports.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup/cleanup-cluster-admission-reports.yaml
new file mode 100644
index 000000000..9d9570404
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup/cleanup-cluster-admission-reports.yaml
@@ -0,0 +1,43 @@
+{{- if .Values.cleanupJobs.clusterAdmissionReports.enabled -}}
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ template "kyverno.name" . }}-cleanup-cluster-admission-reports
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.labels.merge" (list (include "kyverno.labels.common" .) (include "kyverno.matchLabels.common" .)) | nindent 4 }}
+spec:
+  schedule: {{ .Values.cleanupJobs.clusterAdmissionReports.schedule | quote }}
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: {{ .Values.cleanupJobs.clusterAdmissionReports.history.success }}
+  failedJobsHistoryLimit: {{ .Values.cleanupJobs.clusterAdmissionReports.history.failure }}
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          serviceAccountName: {{ template "kyverno.name" . }}-cleanup-jobs
+          {{- with .Values.cleanupJobs.clusterAdmissionReports.podSecurityContext }}
+          securityContext:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          containers:
+          - name: cleanup
+            image: {{ template "kyverno.image" .Values.cleanupJobs.clusterAdmissionReports }}
+            imagePullPolicy: {{ .Values.cleanupJobs.clusterAdmissionReports.image.pullPolicy }}
+            command:
+            - /bin/sh
+            - -c
+            - |
+              COUNT=$(kubectl get clusteradmissionreports.kyverno.io -A | wc -l)
+              if [ "$COUNT" -gt {{ .Values.cleanupJobs.clusterAdmissionReports.threshold }} ]; then
+                echo "too many reports found ($COUNT), cleaning up..."
+                kubectl delete clusteradmissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
+              else
+                echo "($COUNT) reports found, no clean up needed"
+              fi
+            {{- with .Values.cleanupJobs.clusterAdmissionReports.securityContext }}
+            securityContext:
+              {{- toYaml . | nindent 14 }}
+            {{- end }}
+          restartPolicy: OnFailure
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup/clusterrole.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup/clusterrole.yaml
new file mode 100644
index 000000000..b6ff0a5e7
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup/clusterrole.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.name" . }}-cleanup-jobs
+  labels:
+    {{- include "kyverno.labels.merge" (list (include "kyverno.labels.common" .) (include "kyverno.matchLabels.common" .)) | nindent 4 }}
+rules:
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - admissionreports
+      - clusteradmissionreports
+    verbs:
+      - list
+      - deletecollection
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup/clusterrolebinding.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup/clusterrolebinding.yaml
new file mode 100644
index 000000000..0587113f6
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup/clusterrolebinding.yaml
@@ -0,0 +1,14 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.name" . }}-cleanup-jobs
+  labels:
+    {{- include "kyverno.labels.merge" (list (include "kyverno.labels.common" .) (include "kyverno.matchLabels.common" .)) | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "kyverno.name" . }}-cleanup-jobs
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kyverno.name" . }}-cleanup-jobs
+    namespace: {{ template "kyverno.namespace" . }}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup/serviceaccount.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup/serviceaccount.yaml
new file mode 100644
index 000000000..f93bdc2e6
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/cleanup/serviceaccount.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "kyverno.name" . }}-cleanup-jobs
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.labels.merge" (list (include "kyverno.labels.common" .) (include "kyverno.matchLabels.common" .)) | nindent 4 }}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/clusterrole.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/clusterrole.yaml
deleted file mode 100644
index 6a817ebc6..000000000
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/clusterrole.yaml
+++ /dev/null
@@ -1,188 +0,0 @@
-{{- if .Values.rbac.create }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.fullname" . }}
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-aggregationRule:
-  clusterRoleSelectors:
-  - matchLabels:
-      {{- include "kyverno.matchLabels" . | nindent 6 }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.fullname" . }}:userinfo
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-    - rbac.authorization.k8s.io
-  resources:
-    - roles
-    - clusterroles
-    - rolebindings
-    - clusterrolebindings
-  verbs:
-    - watch
-    - list
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.fullname" . }}:policies
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-    - kyverno.io
-  resources:
-    - policies
-    - policies/status
-    - clusterpolicies
-    - clusterpolicies/status
-    - generaterequests
-    - generaterequests/status
-    - updaterequests
-    - updaterequests/status
-    - admissionreports
-    - clusteradmissionreports
-    - backgroundscanreports
-    - clusterbackgroundscanreports
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
-    - deletecollection
-- apiGroups:
-    - wgpolicyk8s.io
-  resources:
-    - policyreports
-    - policyreports/status
-    - clusterpolicyreports
-    - clusterpolicyreports/status
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
-    - deletecollection
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.fullname" . }}:view
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-  - '*'
-  resources:
-  - '*'
-  verbs:
-  - get
-  - list
-  - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.fullname" . }}:generate
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-rules:
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses
-      - ingressclasses
-      - networkpolicies
-    verbs:
-      - create
-      - update
-      - patch
-      - delete
-  - apiGroups:
-      - ''
-    resources:
-      - namespaces
-      - configmaps
-      - secrets
-      - resourcequotas
-      - limitranges
-    verbs:
-      - create
-      - update
-      - patch
-      - delete
-  - apiGroups:
-      - rbac.authorization.k8s.io
-    resources:
-      - rolebindings
-      - roles
-    verbs:
-      - create
-      - update
-      - patch
-      - delete
-  {{- if .Values.generatecontrollerExtraResources }}
-  - apiGroups:
-      - '*'
-    resources:
-    {{- range .Values.generatecontrollerExtraResources }}
-      - {{ . }}
-    {{- end }}
-    verbs:
-      - create
-      - update
-      - delete
-  {{- end }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.fullname" . }}:events
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-  - ''
-  - events.k8s.io
-  resources:
-  - events
-  verbs:
-  - create
-  - update
-  - patch
-  - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.fullname" . }}:webhook
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - mutatingwebhookconfigurations
-  - validatingwebhookconfigurations
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-  - deletecollection
-{{- end }}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/clusterrolebinding.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/clusterrolebinding.yaml
deleted file mode 100644
index c44341f9c..000000000
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/clusterrolebinding.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-{{- if .Values.rbac.create -}}
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ template "kyverno.fullname" . }}
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ template "kyverno.fullname" . }}
-subjects:
-- kind: ServiceAccount
-  name: {{ template "kyverno.serviceAccountName" . }}
-  namespace: {{ template "kyverno.namespace" . }}
-{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/config/_helpers.tpl b/scripts/helmcharts/toolings/charts/kyverno/templates/config/_helpers.tpl
new file mode 100644
index 000000000..64ec92c63
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/config/_helpers.tpl
@@ -0,0 +1,64 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.config.configMapName" -}}
+{{- if .Values.config.create -}}
+    {{ default (include "kyverno.fullname" .) .Values.config.name }}
+{{- else -}}
+    {{ required "A configmap name is required when `config.create` is set to `false`" .Values.config.name }}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.config.metricsConfigMapName" -}}
+{{- if .Values.metricsConfig.create -}}
+    {{ default (printf "%s-metrics" (include "kyverno.fullname" .)) .Values.metricsConfig.name }}
+{{- else -}}
+    {{ required "A configmap name is required when `metricsConfig.create` is set to `false`" .Values.metricsConfig.name }}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.config.labels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.common" .)
+  (include "kyverno.config.matchLabels" .)
+) -}}
+{{- end -}}
+
+{{- define "kyverno.config.matchLabels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.matchLabels.common" .)
+  (include "kyverno.labels.component" "config")
+) -}}
+{{- end -}}
+
+{{- define "kyverno.config.resourceFilters" -}}
+{{- $resourceFilters := .Values.config.resourceFilters -}}
+{{- if .Values.config.excludeKyvernoNamespace -}}
+  {{- $resourceFilters = prepend .Values.config.resourceFilters (printf "[*/*,%s,*]" (include "kyverno.namespace" .)) -}}
+{{- end -}}
+{{- range $exclude := .Values.config.resourceFiltersExcludeNamespaces -}}
+  {{- range $filter := $resourceFilters -}}
+    {{- if (contains (printf ",%s," $exclude) $filter) -}}
+      {{- $resourceFilters = without $resourceFilters $filter -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+{{- range $resourceFilter := $resourceFilters }}
+{{ tpl $resourceFilter $ }}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.config.webhooks" -}}
+{{- $excludeDefault := dict "key" "kubernetes.io/metadata.name" "operator" "NotIn" "values" (list (include "kyverno.namespace" .)) }}
+{{- $newWebhook := list }}
+{{- range $webhook := .Values.config.webhooks }}
+  {{- $namespaceSelector := default dict $webhook.namespaceSelector }}
+  {{- $matchExpressions := default list $namespaceSelector.matchExpressions }}
+  {{- $newNamespaceSelector := dict "matchLabels" $namespaceSelector.matchLabels "matchExpressions" (append $matchExpressions $excludeDefault) }}
+  {{- $newWebhook = append $newWebhook (merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector)) }}
+{{- end }}
+{{- $newWebhook | toJson }}
+{{- end -}}
+
+{{- define "kyverno.config.imagePullSecret" -}}
+{{- printf "{\"auths\":{\"%s\":{\"auth\":\"%s\"}}}" .registry (printf "%s:%s" .username .password | b64enc) | b64enc }}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/config/configmap.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/config/configmap.yaml
new file mode 100644
index 000000000..2304c1266
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/config/configmap.yaml
@@ -0,0 +1,45 @@
+{{- if .Values.config.create -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "kyverno.config.configMapName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.config.labels" . | nindent 4 }}
+  {{- with .Values.config.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+data:
+  enableDefaultRegistryMutation: {{ .Values.config.enableDefaultRegistryMutation | quote }}
+  {{- with .Values.config.defaultRegistry }}
+  defaultRegistry: {{ . | quote }}
+  {{- end }}
+  generateSuccessEvents: {{ .Values.config.generateSuccessEvents | quote }}
+  {{- with .Values.config.excludeGroups }}
+  excludeGroups: {{ join "," . | quote }}
+  {{- end -}}
+  {{- with .Values.config.excludeUsernames }}
+  excludeUsernames: {{ join "," . | quote }}
+  {{- end -}}
+  {{- with .Values.config.excludeRoles }}
+  excludeRoles: {{ join "," . | quote }}
+  {{- end -}}
+  {{- with .Values.config.excludeClusterRoles }}
+  excludeClusterRoles: {{ join "," . | quote }}
+  {{- end -}}
+  {{- if .Values.config.resourceFilters }}
+  resourceFilters: >-
+    {{- include "kyverno.config.resourceFilters" . | trim | nindent 4 }}
+  {{- end -}}
+  {{- if and .Values.config.webhooks .Values.config.excludeKyvernoNamespace }}
+  webhooks: {{ include "kyverno.config.webhooks" . | quote }}
+  {{- else if .Values.config.webhooks }}
+  webhooks: {{ .Values.config.webhooks | toJson | quote }}
+  {{- else if .Values.config.excludeKyvernoNamespace }}
+  webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["{{ include "kyverno.namespace" . }}"]}]}}]'
+  {{- end -}}
+  {{- with .Values.config.webhookAnnotations }}
+  webhookAnnotations: {{ toJson . | quote }}
+  {{- end }}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/imagepullsecret.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/config/imagepullsecret.yaml
similarity index 63%
rename from scripts/helmcharts/toolings/charts/kyverno/templates/imagepullsecret.yaml
rename to scripts/helmcharts/toolings/charts/kyverno/templates/config/imagepullsecret.yaml
index f6e8c11de..19ce98ce4 100644
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/imagepullsecret.yaml
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/config/imagepullsecret.yaml
@@ -6,8 +6,8 @@ metadata:
   name: {{ $name }}
   namespace: {{ template "kyverno.namespace" $ }}
   labels:
-    {{- include "kyverno.labels" $ | nindent 4 }}
+    {{- include "kyverno.config.labels" $ | nindent 4 }}
 type: kubernetes.io/dockerconfigjson
 data:
-  .dockerconfigjson: {{ template "kyverno.imagePullSecret" $secret }}
+  .dockerconfigjson: {{ template "kyverno.config.imagePullSecret" $secret }}
 {{ end }}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/config/metricsconfigmap.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/config/metricsconfigmap.yaml
new file mode 100644
index 000000000..dc5148908
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/config/metricsconfigmap.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.metricsConfig.create -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "kyverno.config.metricsConfigMapName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.config.labels" . | nindent 4 }}
+  {{- with .Values.metricsConfig.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+data:
+  {{- with .Values.metricsConfig.namespaces }}
+  namespaces: {{ toJson . | quote }}
+  {{- end }}
+  {{- with .Values.metricsConfig.metricsRefreshInterval }}
+  metricsRefreshInterval: {{ . }}
+  {{- end }}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/configmap.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/configmap.yaml
deleted file mode 100644
index 8125dd646..000000000
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/configmap.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-{{- if (not .Values.config.existingConfig) }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-  {{- with .Values.config.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  name: {{ template "kyverno.configMapName" . }}
-  namespace: {{ template "kyverno.namespace" . }}
-data:
-  # resource types to be skipped by kyverno policy engine
-  {{- if .Values.config.resourceFilters }}
-  resourceFilters: {{ include "kyverno.resourceFilters" . | quote }}
-  {{- end -}}
-  {{- if .Values.config.excludeGroupRole }}
-  excludeGroupRole: {{ join "," .Values.config.excludeGroupRole | quote }}
-  {{- end -}}
-  {{- if .Values.config.excludeUsername }}
-  excludeUsername: {{ join "," .Values.config.excludeUsername | quote }}
-  {{- end -}}
-  {{- if and .Values.config.webhooks .Values.excludeKyvernoNamespace }}
-  webhooks: {{ include "kyverno.webhooks" . | quote }}
-  {{- else if .Values.config.webhooks }}
-  webhooks: {{ .Values.config.webhooks | toJson | quote }}
-  {{- else if .Values.excludeKyvernoNamespace }}
-  webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["{{ include "kyverno.namespace" . }}"]}]}}]'
-  {{- end -}}
-  {{- if .Values.config.generateSuccessEvents }}
-  generateSuccessEvents: {{ .Values.config.generateSuccessEvents | quote }}
-  {{- end -}}
-{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/crds/_helpers.tpl b/scripts/helmcharts/toolings/charts/kyverno/templates/crds/_helpers.tpl
new file mode 100644
index 000000000..f09828b72
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/crds/_helpers.tpl
@@ -0,0 +1,15 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.crds.labels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.common" .)
+  (include "kyverno.crds.matchLabels" .)
+) -}}
+{{- end -}}
+
+{{- define "kyverno.crds.matchLabels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.matchLabels.common" .)
+  (include "kyverno.labels.component" "crds")
+) -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/crds.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/crds/crds.yaml
similarity index 87%
rename from scripts/helmcharts/toolings/charts/kyverno/templates/crds.yaml
rename to scripts/helmcharts/toolings/charts/kyverno/templates/crds/crds.yaml
index 40bb8fad5..2683252c4 100644
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/crds.yaml
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/crds/crds.yaml
@@ -1,15 +1,15 @@
-{{- if .Values.installCRDs }}
+{{- if .Values.crds.install }}
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
+    controller-gen.kubebuilder.io/version: v0.11.3
     {{- with .Values.crds.annotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
   labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
+    {{- include "kyverno.crds.labels" . | nindent 4 }}
   name: admissionreports.kyverno.io
 spec:
   group: kyverno.io
@@ -25,38 +25,30 @@ spec:
   scope: Namespaced
   versions:
   - additionalPrinterColumns:
-    - jsonPath: .metadata.ownerReferences[0].apiVersion
-      name: ApiVersion
-      priority: 1
-      type: string
-    - jsonPath: .metadata.ownerReferences[0].kind
-      name: Kind
-      priority: 1
-      type: string
-    - jsonPath: .metadata.ownerReferences[0].name
-      name: Subject
-      priority: 1
-      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: AGE
+      type: date
     - jsonPath: .spec.summary.pass
-      name: Pass
+      name: PASS
       type: integer
     - jsonPath: .spec.summary.fail
-      name: Fail
+      name: FAIL
       type: integer
     - jsonPath: .spec.summary.warn
-      name: Warn
+      name: WARN
       type: integer
     - jsonPath: .spec.summary.error
-      name: Error
+      name: ERROR
       type: integer
     - jsonPath: .spec.summary.skip
-      name: Skip
+      name: SKIP
       type: integer
-    - jsonPath: .metadata.creationTimestamp
-      name: Age
-      type: date
-    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash']
-      name: Hash
+    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.gvr']
+      name: GVR
+      priority: 1
+      type: string
+    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.name']
+      name: REF
       priority: 1
       type: string
     - jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate']
@@ -105,10 +97,10 @@ spec:
                     description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
                     type: string
                   name:
-                    description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names'
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names'
                     type: string
                   uid:
-                    description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids'
+                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids'
                     type: string
                 required:
                 - apiVersion
@@ -349,12 +341,12 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
+    controller-gen.kubebuilder.io/version: v0.11.3
     {{- with .Values.crds.annotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
   labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
+    {{- include "kyverno.crds.labels" . | nindent 4 }}
   name: backgroundscanreports.kyverno.io
 spec:
   group: kyverno.io
@@ -654,12 +646,12 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
+    controller-gen.kubebuilder.io/version: v0.11.3
     {{- with .Values.crds.annotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
   labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
+    {{- include "kyverno.crds.labels" . | nindent 4 }}
   name: cleanuppolicies.kyverno.io
 spec:
   group: kyverno.io
@@ -716,6 +708,9 @@ spec:
                           description: Key is the context entry (using JMESPath) for
                             conditional rule evaluation.
                           x-kubernetes-preserve-unknown-fields: true
+                        message:
+                          description: Message is an optional display message
+                          type: string
                         operator:
                           description: 'Operator is the conditional operation to perform.
                             Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
@@ -756,6 +751,9 @@ spec:
                           description: Key is the context entry (using JMESPath) for
                             conditional rule evaluation.
                           x-kubernetes-preserve-unknown-fields: true
+                        message:
+                          description: Message is an optional display message
+                          type: string
                         operator:
                           description: 'Operator is the conditional operation to perform.
                             Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
@@ -896,6 +894,21 @@ spec:
                               items:
                                 type: string
                               type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
                             selector:
                               description: 'Selector is a label selector. Label keys
                                 and values in `matchLabels` support the wildcard characters
@@ -1099,6 +1112,21 @@ spec:
                               items:
                                 type: string
                               type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
                             selector:
                               description: 'Selector is a label selector. Label keys
                                 and values in `matchLabels` support the wildcard characters
@@ -1309,6 +1337,21 @@ spec:
                               items:
                                 type: string
                               type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
                             selector:
                               description: 'Selector is a label selector. Label keys
                                 and values in `matchLabels` support the wildcard characters
@@ -1512,6 +1555,21 @@ spec:
                               items:
                                 type: string
                               type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
                             selector:
                               description: 'Selector is a label selector. Label keys
                                 and values in `matchLabels` support the wildcard characters
@@ -1702,12 +1760,12 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
+    controller-gen.kubebuilder.io/version: v0.11.3
     {{- with .Values.crds.annotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
   labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
+    {{- include "kyverno.crds.labels" . | nindent 4 }}
   name: clusteradmissionreports.kyverno.io
 spec:
   group: kyverno.io
@@ -1723,38 +1781,30 @@ spec:
   scope: Cluster
   versions:
   - additionalPrinterColumns:
-    - jsonPath: .metadata.ownerReferences[0].apiVersion
-      name: ApiVersion
-      priority: 1
-      type: string
-    - jsonPath: .metadata.ownerReferences[0].kind
-      name: Kind
-      priority: 1
-      type: string
-    - jsonPath: .metadata.ownerReferences[0].name
-      name: Subject
-      priority: 1
-      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: AGE
+      type: date
     - jsonPath: .spec.summary.pass
-      name: Pass
+      name: PASS
       type: integer
     - jsonPath: .spec.summary.fail
-      name: Fail
+      name: FAIL
       type: integer
     - jsonPath: .spec.summary.warn
-      name: Warn
+      name: WARN
       type: integer
     - jsonPath: .spec.summary.error
-      name: Error
+      name: ERROR
       type: integer
     - jsonPath: .spec.summary.skip
-      name: Skip
+      name: SKIP
       type: integer
-    - jsonPath: .metadata.creationTimestamp
-      name: Age
-      type: date
-    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash']
-      name: Hash
+    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.gvr']
+      name: GVR
+      priority: 1
+      type: string
+    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.name']
+      name: REF
       priority: 1
       type: string
     - jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate']
@@ -1804,10 +1854,10 @@ spec:
                     description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
                     type: string
                   name:
-                    description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names'
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names'
                     type: string
                   uid:
-                    description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids'
+                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids'
                     type: string
                 required:
                 - apiVersion
@@ -2048,12 +2098,12 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
+    controller-gen.kubebuilder.io/version: v0.11.3
     {{- with .Values.crds.annotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
   labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
+    {{- include "kyverno.crds.labels" . | nindent 4 }}
   name: clusterbackgroundscanreports.kyverno.io
 spec:
   group: kyverno.io
@@ -2353,12 +2403,12 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
+    controller-gen.kubebuilder.io/version: v0.11.3
     {{- with .Values.crds.annotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
   labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
+    {{- include "kyverno.crds.labels" . | nindent 4 }}
   name: clustercleanuppolicies.kyverno.io
 spec:
   group: kyverno.io
@@ -2415,6 +2465,9 @@ spec:
                           description: Key is the context entry (using JMESPath) for
                             conditional rule evaluation.
                           x-kubernetes-preserve-unknown-fields: true
+                        message:
+                          description: Message is an optional display message
+                          type: string
                         operator:
                           description: 'Operator is the conditional operation to perform.
                             Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
@@ -2455,6 +2508,9 @@ spec:
                           description: Key is the context entry (using JMESPath) for
                             conditional rule evaluation.
                           x-kubernetes-preserve-unknown-fields: true
+                        message:
+                          description: Message is an optional display message
+                          type: string
                         operator:
                           description: 'Operator is the conditional operation to perform.
                             Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
@@ -2595,6 +2651,21 @@ spec:
                               items:
                                 type: string
                               type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
                             selector:
                               description: 'Selector is a label selector. Label keys
                                 and values in `matchLabels` support the wildcard characters
@@ -2798,6 +2869,21 @@ spec:
                               items:
                                 type: string
                               type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
                             selector:
                               description: 'Selector is a label selector. Label keys
                                 and values in `matchLabels` support the wildcard characters
@@ -3008,6 +3094,21 @@ spec:
                               items:
                                 type: string
                               type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
                             selector:
                               description: 'Selector is a label selector. Label keys
                                 and values in `matchLabels` support the wildcard characters
@@ -3211,6 +3312,21 @@ spec:
                               items:
                                 type: string
                               type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
                             selector:
                               description: 'Selector is a label selector. Label keys
                                 and values in `matchLabels` support the wildcard characters
@@ -3401,12 +3517,12 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
+    controller-gen.kubebuilder.io/version: v0.11.3
     {{- with .Values.crds.annotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
   labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
+    {{- include "kyverno.crds.labels" . | nindent 4 }}
   name: clusterpolicies.kyverno.io
 spec:
   group: kyverno.io
@@ -3432,9 +3548,9 @@ spec:
       name: Failure Policy
       priority: 1
       type: string
-    - jsonPath: .status.ready
+    - jsonPath: .status.conditions[?(@.type == "Ready")].status
       name: Ready
-      type: boolean
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -3454,6 +3570,9 @@ spec:
       name: Verifyimages
       priority: 1
       type: integer
+    - jsonPath: .status.conditions[?(@.type == "Ready")].message
+      name: MESSAGE
+      type: string
     name: v1
     schema:
       openAPIV3Schema:
@@ -3503,11 +3622,14 @@ spec:
                 - Ignore
                 - Fail
                 type: string
+              generateExisting:
+                description: GenerateExisting controls whether to trigger generate
+                  rule in existing resources If is set to "true" generate rule will
+                  be triggered and applied to existing matched resources. Defaults
+                  to "false" if not specified.
+                type: boolean
               generateExistingOnPolicyUpdate:
-                description: GenerateExistingOnPolicyUpdate controls whether to trigger
-                  generate rule in existing resources If is set to "true" generate
-                  rule will be triggered and applied to existing matched resources.
-                  Defaults to "false" if not specified.
+                description: Deprecated, use generateExisting instead
                 type: boolean
               mutateExistingOnPolicyUpdate:
                 description: MutateExistingOnPolicyUpdate controls if a mutateExisting
@@ -3531,28 +3653,70 @@ spec:
                           must be provided.
                         properties:
                           apiCall:
-                            description: APICall defines an HTTP request to the Kubernetes
-                              API server. The JSON data retrieved is stored in the
-                              context.
+                            description: APICall is an HTTP request to the Kubernetes
+                              API server, or other JSON web service. The data returned
+                              is stored in the context with the name for the context
+                              entry.
                             properties:
+                              data:
+                                description: Data specifies the POST data sent to
+                                  the server.
+                                items:
+                                  description: RequestData contains the HTTP POST
+                                    data
+                                  properties:
+                                    key:
+                                      description: Key is a unique identifier for
+                                        the data value
+                                      type: string
+                                    value:
+                                      description: Value is the data value
+                                      x-kubernetes-preserve-unknown-fields: true
+                                  required:
+                                  - key
+                                  - value
+                                  type: object
+                                type: array
                               jmesPath:
                                 description: JMESPath is an optional JSON Match Expression
                                   that can be used to transform the JSON response
-                                  returned from the API server. For example a JMESPath
+                                  returned from the server. For example a JMESPath
                                   of "items | length(@)" applied to the API server
-                                  response to the URLPath "/apis/apps/v1/deployments"
+                                  response for the URLPath "/apis/apps/v1/deployments"
                                   will return the total count of deployments across
                                   all namespaces.
                                 type: string
+                              method:
+                                default: GET
+                                description: Method is the HTTP request type (GET
+                                  or POST).
+                                enum:
+                                - GET
+                                - POST
+                                type: string
+                              service:
+                                description: Service is an API call to a JSON web
+                                  service
+                                properties:
+                                  caBundle:
+                                    description: CABundle is a PEM encoded CA bundle
+                                      which will be used to validate the server certificate.
+                                    type: string
+                                  url:
+                                    description: URL is the JSON web service URL.
+                                      A typical form is `https://{service}.{namespace}:{port}/{path}`.
+                                    type: string
+                                required:
+                                - url
+                                type: object
                               urlPath:
                                 description: URLPath is the URL path to be used in
-                                  the HTTP GET request to the Kubernetes API server
-                                  (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                  the HTTP GET or POST request to the Kubernetes API
+                                  server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                   The format required is the same format used by the
-                                  `kubectl get --raw` command.
+                                  `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                  for details.
                                 type: string
-                            required:
-                            - urlPath
                             type: object
                           configMap:
                             description: ConfigMap is the ConfigMap reference.
@@ -3724,6 +3888,21 @@ spec:
                                     items:
                                       type: string
                                     type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
                                   selector:
                                     description: 'Selector is a label selector. Label
                                       keys and values in `matchLabels` support the
@@ -3942,6 +4121,21 @@ spec:
                                     items:
                                       type: string
                                     type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
                                   selector:
                                     description: 'Selector is a label selector. Label
                                       keys and values in `matchLabels` support the
@@ -4148,6 +4342,21 @@ spec:
                               items:
                                 type: string
                               type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
                             selector:
                               description: 'Selector is a label selector. Label keys
                                 and values in `matchLabels` support the wildcard characters
@@ -4355,6 +4564,15 @@ spec:
                       additionalProperties:
                         items:
                           properties:
+                            jmesPath:
+                              description: 'JMESPath is an optional JMESPath expression
+                                to apply to the image value. This is useful when the
+                                extracted image begins with a prefix like ''docker://''.
+                                The ''trim_prefix'' function may be used to trim the
+                                prefix: trim_prefix(@, ''docker://''). Note - Image
+                                digest mutation may not be used when applying a JMESPAth
+                                to an image.'
+                              type: string
                             key:
                               description: Key is an optional name of the field within
                                 'path' that will be used to uniquely identify an image.
@@ -4505,6 +4723,21 @@ spec:
                                     items:
                                       type: string
                                     type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
                                   selector:
                                     description: 'Selector is a label selector. Label
                                       keys and values in `matchLabels` support the
@@ -4723,6 +4956,21 @@ spec:
                                     items:
                                       type: string
                                     type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
                                   selector:
                                     description: 'Selector is a label selector. Label
                                       keys and values in `matchLabels` support the
@@ -4929,6 +5177,21 @@ spec:
                               items:
                                 type: string
                               type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
                             selector:
                               description: 'Selector is a label selector. Label keys
                                 and values in `matchLabels` support the wildcard characters
@@ -5035,9 +5298,9 @@ spec:
                             sub-elements by creating a context for each entry in the
                             list and looping over it to apply the specified logic.
                           items:
-                            description: ForEach applies mutation rules to a list
-                              of sub-elements by creating a context for each entry
-                              in the list and looping over it to apply the specified
+                            description: ForEachMutation applies mutation rules to
+                              a list of sub-elements by creating a context for each
+                              entry in the list and looping over it to apply the specified
                               logic.
                             properties:
                               context:
@@ -5049,30 +5312,74 @@ spec:
                                     reference or a APILookup must be provided.
                                   properties:
                                     apiCall:
-                                      description: APICall defines an HTTP request
-                                        to the Kubernetes API server. The JSON data
-                                        retrieved is stored in the context.
+                                      description: APICall is an HTTP request to the
+                                        Kubernetes API server, or other JSON web service.
+                                        The data returned is stored in the context
+                                        with the name for the context entry.
                                       properties:
+                                        data:
+                                          description: Data specifies the POST data
+                                            sent to the server.
+                                          items:
+                                            description: RequestData contains the
+                                              HTTP POST data
+                                            properties:
+                                              key:
+                                                description: Key is a unique identifier
+                                                  for the data value
+                                                type: string
+                                              value:
+                                                description: Value is the data value
+                                                x-kubernetes-preserve-unknown-fields: true
+                                            required:
+                                            - key
+                                            - value
+                                            type: object
+                                          type: array
                                         jmesPath:
                                           description: JMESPath is an optional JSON
                                             Match Expression that can be used to transform
-                                            the JSON response returned from the API
-                                            server. For example a JMESPath of "items
-                                            | length(@)" applied to the API server
-                                            response to the URLPath "/apis/apps/v1/deployments"
+                                            the JSON response returned from the server.
+                                            For example a JMESPath of "items | length(@)"
+                                            applied to the API server response for
+                                            the URLPath "/apis/apps/v1/deployments"
                                             will return the total count of deployments
                                             across all namespaces.
                                           type: string
+                                        method:
+                                          default: GET
+                                          description: Method is the HTTP request
+                                            type (GET or POST).
+                                          enum:
+                                          - GET
+                                          - POST
+                                          type: string
+                                        service:
+                                          description: Service is an API call to a
+                                            JSON web service
+                                          properties:
+                                            caBundle:
+                                              description: CABundle is a PEM encoded
+                                                CA bundle which will be used to validate
+                                                the server certificate.
+                                              type: string
+                                            url:
+                                              description: URL is the JSON web service
+                                                URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+                                              type: string
+                                          required:
+                                          - url
+                                          type: object
                                         urlPath:
                                           description: URLPath is the URL path to
-                                            be used in the HTTP GET request to the
-                                            Kubernetes API server (e.g. "/api/v1/namespaces"
+                                            be used in the HTTP GET or POST request
+                                            to the Kubernetes API server (e.g. "/api/v1/namespaces"
                                             or  "/apis/apps/v1/deployments"). The
                                             format required is the same format used
-                                            by the `kubectl get --raw` command.
+                                            by the `kubectl get --raw` command. See
+                                            https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                            for details.
                                           type: string
-                                      required:
-                                      - urlPath
                                       type: object
                                     configMap:
                                       description: ConfigMap is the ConfigMap reference.
@@ -5139,6 +5446,15 @@ spec:
                                   that results in one or more elements to which the
                                   validation logic is applied.
                                 type: string
+                              order:
+                                description: Order defines the iteration order on
+                                  the list. Can be Ascending to iterate from first
+                                  to last element or Descending to iterate in from
+                                  last to first element.
+                                enum:
+                                - Ascending
+                                - Descending
+                                type: string
                               patchStrategicMerge:
                                 description: PatchStrategicMerge is a strategic merge
                                   patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -5170,6 +5486,10 @@ spec:
                                           description: Key is the context entry (using
                                             JMESPath) for conditional rule evaluation.
                                           x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
                                         operator:
                                           description: 'Operator is the conditional
                                             operation to perform. Valid operators
@@ -5219,6 +5539,10 @@ spec:
                                           description: Key is the context entry (using
                                             JMESPath) for conditional rule evaluation.
                                           x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
                                         operator:
                                           description: 'Operator is the conditional
                                             operation to perform. Valid operators
@@ -5271,10 +5595,147 @@ spec:
                           description: Targets defines the target resources to be
                             mutated.
                           items:
+                            description: TargetResourceSpec defines targets for mutating
+                              existing resources.
                             properties:
                               apiVersion:
                                 description: APIVersion specifies resource apiVersion.
                                 type: string
+                              context:
+                                description: Context defines variables and data sources
+                                  that can be used during rule execution.
+                                items:
+                                  description: ContextEntry adds variables and data
+                                    sources to a rule Context. Either a ConfigMap
+                                    reference or a APILookup must be provided.
+                                  properties:
+                                    apiCall:
+                                      description: APICall is an HTTP request to the
+                                        Kubernetes API server, or other JSON web service.
+                                        The data returned is stored in the context
+                                        with the name for the context entry.
+                                      properties:
+                                        data:
+                                          description: Data specifies the POST data
+                                            sent to the server.
+                                          items:
+                                            description: RequestData contains the
+                                              HTTP POST data
+                                            properties:
+                                              key:
+                                                description: Key is a unique identifier
+                                                  for the data value
+                                                type: string
+                                              value:
+                                                description: Value is the data value
+                                                x-kubernetes-preserve-unknown-fields: true
+                                            required:
+                                            - key
+                                            - value
+                                            type: object
+                                          type: array
+                                        jmesPath:
+                                          description: JMESPath is an optional JSON
+                                            Match Expression that can be used to transform
+                                            the JSON response returned from the server.
+                                            For example a JMESPath of "items | length(@)"
+                                            applied to the API server response for
+                                            the URLPath "/apis/apps/v1/deployments"
+                                            will return the total count of deployments
+                                            across all namespaces.
+                                          type: string
+                                        method:
+                                          default: GET
+                                          description: Method is the HTTP request
+                                            type (GET or POST).
+                                          enum:
+                                          - GET
+                                          - POST
+                                          type: string
+                                        service:
+                                          description: Service is an API call to a
+                                            JSON web service
+                                          properties:
+                                            caBundle:
+                                              description: CABundle is a PEM encoded
+                                                CA bundle which will be used to validate
+                                                the server certificate.
+                                              type: string
+                                            url:
+                                              description: URL is the JSON web service
+                                                URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+                                              type: string
+                                          required:
+                                          - url
+                                          type: object
+                                        urlPath:
+                                          description: URLPath is the URL path to
+                                            be used in the HTTP GET or POST request
+                                            to the Kubernetes API server (e.g. "/api/v1/namespaces"
+                                            or  "/apis/apps/v1/deployments"). The
+                                            format required is the same format used
+                                            by the `kubectl get --raw` command. See
+                                            https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                            for details.
+                                          type: string
+                                      type: object
+                                    configMap:
+                                      description: ConfigMap is the ConfigMap reference.
+                                      properties:
+                                        name:
+                                          description: Name is the ConfigMap name.
+                                          type: string
+                                        namespace:
+                                          description: Namespace is the ConfigMap
+                                            namespace.
+                                          type: string
+                                      required:
+                                      - name
+                                      type: object
+                                    imageRegistry:
+                                      description: ImageRegistry defines requests
+                                        to an OCI/Docker V2 registry to fetch image
+                                        details.
+                                      properties:
+                                        jmesPath:
+                                          description: JMESPath is an optional JSON
+                                            Match Expression that can be used to transform
+                                            the ImageData struct returned as a result
+                                            of processing the image reference.
+                                          type: string
+                                        reference:
+                                          description: 'Reference is image reference
+                                            to a container image in the registry.
+                                            Example: ghcr.io/kyverno/kyverno:latest'
+                                          type: string
+                                      required:
+                                      - reference
+                                      type: object
+                                    name:
+                                      description: Name is the variable name.
+                                      type: string
+                                    variable:
+                                      description: Variable defines an arbitrary JMESPath
+                                        context variable that can be defined inline.
+                                      properties:
+                                        default:
+                                          description: Default is an optional arbitrary
+                                            JSON object that the variable may take
+                                            if the JMESPath expression evaluates to
+                                            nil
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        jmesPath:
+                                          description: JMESPath is an optional JMESPath
+                                            Expression that can be used to transform
+                                            the variable.
+                                          type: string
+                                        value:
+                                          description: Value is any arbitrary JSON
+                                            object representable in YAML or JSON form.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                  type: object
+                                type: array
                               kind:
                                 description: Kind specifies resource kind.
                                 type: string
@@ -5284,6 +5745,15 @@ spec:
                               namespace:
                                 description: Namespace specifies resource namespace.
                                 type: string
+                              preconditions:
+                                description: 'Preconditions are used to determine
+                                  if a policy rule should be applied by evaluating
+                                  a set of conditions. The declaration can contain
+                                  nested `any` or `all` statements. A direct list
+                                  of conditions (without `any` or `all` statements
+                                  is supported for backwards compatibility but will
+                                  be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+                                x-kubernetes-preserve-unknown-fields: true
                             type: object
                           type: array
                       type: object
@@ -5325,10 +5795,10 @@ spec:
                             sub-elements by creating a context for each entry in the
                             list and looping over it to apply the specified logic.
                           items:
-                            description: ForEach applies validate rules to a list
-                              of sub-elements by creating a context for each entry
-                              in the list and looping over it to apply the specified
-                              logic.
+                            description: ForEachValidation applies validate rules
+                              to a list of sub-elements by creating a context for
+                              each entry in the list and looping over it to apply
+                              the specified logic.
                             properties:
                               anyPattern:
                                 description: AnyPattern specifies list of validation
@@ -5344,30 +5814,74 @@ spec:
                                     reference or a APILookup must be provided.
                                   properties:
                                     apiCall:
-                                      description: APICall defines an HTTP request
-                                        to the Kubernetes API server. The JSON data
-                                        retrieved is stored in the context.
+                                      description: APICall is an HTTP request to the
+                                        Kubernetes API server, or other JSON web service.
+                                        The data returned is stored in the context
+                                        with the name for the context entry.
                                       properties:
+                                        data:
+                                          description: Data specifies the POST data
+                                            sent to the server.
+                                          items:
+                                            description: RequestData contains the
+                                              HTTP POST data
+                                            properties:
+                                              key:
+                                                description: Key is a unique identifier
+                                                  for the data value
+                                                type: string
+                                              value:
+                                                description: Value is the data value
+                                                x-kubernetes-preserve-unknown-fields: true
+                                            required:
+                                            - key
+                                            - value
+                                            type: object
+                                          type: array
                                         jmesPath:
                                           description: JMESPath is an optional JSON
                                             Match Expression that can be used to transform
-                                            the JSON response returned from the API
-                                            server. For example a JMESPath of "items
-                                            | length(@)" applied to the API server
-                                            response to the URLPath "/apis/apps/v1/deployments"
+                                            the JSON response returned from the server.
+                                            For example a JMESPath of "items | length(@)"
+                                            applied to the API server response for
+                                            the URLPath "/apis/apps/v1/deployments"
                                             will return the total count of deployments
                                             across all namespaces.
                                           type: string
+                                        method:
+                                          default: GET
+                                          description: Method is the HTTP request
+                                            type (GET or POST).
+                                          enum:
+                                          - GET
+                                          - POST
+                                          type: string
+                                        service:
+                                          description: Service is an API call to a
+                                            JSON web service
+                                          properties:
+                                            caBundle:
+                                              description: CABundle is a PEM encoded
+                                                CA bundle which will be used to validate
+                                                the server certificate.
+                                              type: string
+                                            url:
+                                              description: URL is the JSON web service
+                                                URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+                                              type: string
+                                          required:
+                                          - url
+                                          type: object
                                         urlPath:
                                           description: URLPath is the URL path to
-                                            be used in the HTTP GET request to the
-                                            Kubernetes API server (e.g. "/api/v1/namespaces"
+                                            be used in the HTTP GET or POST request
+                                            to the Kubernetes API server (e.g. "/api/v1/namespaces"
                                             or  "/apis/apps/v1/deployments"). The
                                             format required is the same format used
-                                            by the `kubectl get --raw` command.
+                                            by the `kubectl get --raw` command. See
+                                            https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                            for details.
                                           type: string
-                                      required:
-                                      - urlPath
                                       type: object
                                     configMap:
                                       description: ConfigMap is the ConfigMap reference.
@@ -5480,6 +5994,10 @@ spec:
                                           description: Key is the context entry (using
                                             JMESPath) for conditional rule evaluation.
                                           x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
                                         operator:
                                           description: 'Operator is the conditional
                                             operation to perform. Valid operators
@@ -5529,6 +6047,10 @@ spec:
                                           description: Key is the context entry (using
                                             JMESPath) for conditional rule evaluation.
                                           x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
                                         operator:
                                           description: 'Operator is the conditional
                                             operation to perform. Valid operators
@@ -5876,7 +6398,7 @@ spec:
                               description: Version defines the Pod Security Standard
                                 versions that Kubernetes supports. Allowed values
                                 are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25,
-                                latest. Defaults to latest.
+                                v1.26, latest. Defaults to latest.
                               enum:
                               - v1.19
                               - v1.20
@@ -5885,6 +6407,7 @@ spec:
                               - v1.23
                               - v1.24
                               - v1.25
+                              - v1.26
                               - latest
                               type: string
                           type: object
@@ -6154,6 +6677,10 @@ spec:
                                                 (using JMESPath) for conditional rule
                                                 evaluation.
                                               x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
                                             operator:
                                               description: 'Operator is the conditional
                                                 operation to perform. Valid operators
@@ -6205,6 +6732,10 @@ spec:
                                                 (using JMESPath) for conditional rule
                                                 evaluation.
                                               x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
                                             operator:
                                               description: 'Operator is the conditional
                                                 operation to perform. Valid operators
@@ -6493,6 +7024,14 @@ spec:
                               signing, for example an email address Deprecated. Use
                               KeylessAttestor instead.
                             type: string
+                          type:
+                            description: Type specifies the method of signature validation.
+                              The allowed options are Cosign and Notary. By default
+                              Cosign is used if a type is not specified.
+                            enum:
+                            - Cosign
+                            - Notary
+                            type: string
                           verifyDigest:
                             default: true
                             description: VerifyDigest validates that images have a
@@ -6535,6 +7074,54 @@ spec:
                       - Audit
                       - Enforce
                       type: string
+                    namespaceSelector:
+                      description: A label selector is a label query over a set of
+                        resources. The result of matchLabels and matchExpressions
+                        are ANDed. An empty label selector matches all objects. A
+                        null label selector matches no objects.
+                      properties:
+                        matchExpressions:
+                          description: matchExpressions is a list of label selector
+                            requirements. The requirements are ANDed.
+                          items:
+                            description: A label selector requirement is a selector
+                              that contains values, a key, and an operator that relates
+                              the key and values.
+                            properties:
+                              key:
+                                description: key is the label key that the selector
+                                  applies to.
+                                type: string
+                              operator:
+                                description: operator represents a key's relationship
+                                  to a set of values. Valid operators are In, NotIn,
+                                  Exists and DoesNotExist.
+                                type: string
+                              values:
+                                description: values is an array of string values.
+                                  If the operator is In or NotIn, the values array
+                                  must be non-empty. If the operator is Exists or
+                                  DoesNotExist, the values array must be empty. This
+                                  array is replaced during a strategic merge patch.
+                                items:
+                                  type: string
+                                type: array
+                            required:
+                            - key
+                            - operator
+                            type: object
+                          type: array
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          description: matchLabels is a map of {key,value} pairs.
+                            A single {key,value} in the matchLabels map is equivalent
+                            to an element of matchExpressions, whose key field is
+                            "key", the operator is "In", and the values array contains
+                            only "value". The requirements are ANDed.
+                          type: object
+                      type: object
+                      x-kubernetes-map-type: atomic
                     namespaces:
                       items:
                         type: string
@@ -6574,28 +7161,71 @@ spec:
                               APILookup must be provided.
                             properties:
                               apiCall:
-                                description: APICall defines an HTTP request to the
-                                  Kubernetes API server. The JSON data retrieved is
-                                  stored in the context.
+                                description: APICall is an HTTP request to the Kubernetes
+                                  API server, or other JSON web service. The data
+                                  returned is stored in the context with the name
+                                  for the context entry.
                                 properties:
+                                  data:
+                                    description: Data specifies the POST data sent
+                                      to the server.
+                                    items:
+                                      description: RequestData contains the HTTP POST
+                                        data
+                                      properties:
+                                        key:
+                                          description: Key is a unique identifier
+                                            for the data value
+                                          type: string
+                                        value:
+                                          description: Value is the data value
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      required:
+                                      - key
+                                      - value
+                                      type: object
+                                    type: array
                                   jmesPath:
                                     description: JMESPath is an optional JSON Match
                                       Expression that can be used to transform the
-                                      JSON response returned from the API server.
-                                      For example a JMESPath of "items | length(@)"
-                                      applied to the API server response to the URLPath
-                                      "/apis/apps/v1/deployments" will return the
-                                      total count of deployments across all namespaces.
+                                      JSON response returned from the server. For
+                                      example a JMESPath of "items | length(@)" applied
+                                      to the API server response for the URLPath "/apis/apps/v1/deployments"
+                                      will return the total count of deployments across
+                                      all namespaces.
                                     type: string
+                                  method:
+                                    default: GET
+                                    description: Method is the HTTP request type (GET
+                                      or POST).
+                                    enum:
+                                    - GET
+                                    - POST
+                                    type: string
+                                  service:
+                                    description: Service is an API call to a JSON
+                                      web service
+                                    properties:
+                                      caBundle:
+                                        description: CABundle is a PEM encoded CA
+                                          bundle which will be used to validate the
+                                          server certificate.
+                                        type: string
+                                      url:
+                                        description: URL is the JSON web service URL.
+                                          A typical form is `https://{service}.{namespace}:{port}/{path}`.
+                                        type: string
+                                    required:
+                                    - url
+                                    type: object
                                   urlPath:
                                     description: URLPath is the URL path to be used
-                                      in the HTTP GET request to the Kubernetes API
-                                      server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                      in the HTTP GET or POST request to the Kubernetes
+                                      API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                       The format required is the same format used
-                                      by the `kubectl get --raw` command.
+                                      by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                      for details.
                                     type: string
-                                required:
-                                - urlPath
                                 type: object
                               configMap:
                                 description: ConfigMap is the ConfigMap reference.
@@ -6773,6 +7403,22 @@ spec:
                                         items:
                                           type: string
                                         type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
                                       selector:
                                         description: 'Selector is a label selector.
                                           Label keys and values in `matchLabels` support
@@ -6998,6 +7644,22 @@ spec:
                                         items:
                                           type: string
                                         type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
                                       selector:
                                         description: 'Selector is a label selector.
                                           Label keys and values in `matchLabels` support
@@ -7217,6 +7879,21 @@ spec:
                                   items:
                                     type: string
                                   type: array
+                                operations:
+                                  description: Operations can contain values ["CREATE,
+                                    "UPDATE", "CONNECT", "DELETE"], which are used
+                                    to match a specific action.
+                                  items:
+                                    description: AdmissionOperation can have one of
+                                      the values CREATE, UPDATE, CONNECT, DELETE,
+                                      which are used to match a specific action.
+                                    enum:
+                                    - CREATE
+                                    - CONNECT
+                                    - UPDATE
+                                    - DELETE
+                                    type: string
+                                  type: array
                                 selector:
                                   description: 'Selector is a label selector. Label
                                     keys and values in `matchLabels` support the wildcard
@@ -7437,6 +8114,15 @@ spec:
                           additionalProperties:
                             items:
                               properties:
+                                jmesPath:
+                                  description: 'JMESPath is an optional JMESPath expression
+                                    to apply to the image value. This is useful when
+                                    the extracted image begins with a prefix like
+                                    ''docker://''. The ''trim_prefix'' function may
+                                    be used to trim the prefix: trim_prefix(@, ''docker://'').
+                                    Note - Image digest mutation may not be used when
+                                    applying a JMESPAth to an image.'
+                                  type: string
                                 key:
                                   description: Key is an optional name of the field
                                     within 'path' that will be used to uniquely identify
@@ -7590,6 +8276,22 @@ spec:
                                         items:
                                           type: string
                                         type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
                                       selector:
                                         description: 'Selector is a label selector.
                                           Label keys and values in `matchLabels` support
@@ -7815,6 +8517,22 @@ spec:
                                         items:
                                           type: string
                                         type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
                                       selector:
                                         description: 'Selector is a label selector.
                                           Label keys and values in `matchLabels` support
@@ -8034,6 +8752,21 @@ spec:
                                   items:
                                     type: string
                                   type: array
+                                operations:
+                                  description: Operations can contain values ["CREATE,
+                                    "UPDATE", "CONNECT", "DELETE"], which are used
+                                    to match a specific action.
+                                  items:
+                                    description: AdmissionOperation can have one of
+                                      the values CREATE, UPDATE, CONNECT, DELETE,
+                                      which are used to match a specific action.
+                                    enum:
+                                    - CREATE
+                                    - CONNECT
+                                    - UPDATE
+                                    - DELETE
+                                    type: string
+                                  type: array
                                 selector:
                                   description: 'Selector is a label selector. Label
                                     keys and values in `matchLabels` support the wildcard
@@ -8146,10 +8879,10 @@ spec:
                                 in the list and looping over it to apply the specified
                                 logic.
                               items:
-                                description: ForEach applies mutation rules to a list
-                                  of sub-elements by creating a context for each entry
-                                  in the list and looping over it to apply the specified
-                                  logic.
+                                description: ForEachMutation applies mutation rules
+                                  to a list of sub-elements by creating a context
+                                  for each entry in the list and looping over it to
+                                  apply the specified logic.
                                 properties:
                                   context:
                                     description: Context defines variables and data
@@ -8160,31 +8893,78 @@ spec:
                                         reference or a APILookup must be provided.
                                       properties:
                                         apiCall:
-                                          description: APICall defines an HTTP request
-                                            to the Kubernetes API server. The JSON
-                                            data retrieved is stored in the context.
+                                          description: APICall is an HTTP request
+                                            to the Kubernetes API server, or other
+                                            JSON web service. The data returned is
+                                            stored in the context with the name for
+                                            the context entry.
                                           properties:
+                                            data:
+                                              description: Data specifies the POST
+                                                data sent to the server.
+                                              items:
+                                                description: RequestData contains
+                                                  the HTTP POST data
+                                                properties:
+                                                  key:
+                                                    description: Key is a unique identifier
+                                                      for the data value
+                                                    type: string
+                                                  value:
+                                                    description: Value is the data
+                                                      value
+                                                    x-kubernetes-preserve-unknown-fields: true
+                                                required:
+                                                - key
+                                                - value
+                                                type: object
+                                              type: array
                                             jmesPath:
                                               description: JMESPath is an optional
                                                 JSON Match Expression that can be
                                                 used to transform the JSON response
-                                                returned from the API server. For
-                                                example a JMESPath of "items | length(@)"
+                                                returned from the server. For example
+                                                a JMESPath of "items | length(@)"
                                                 applied to the API server response
-                                                to the URLPath "/apis/apps/v1/deployments"
+                                                for the URLPath "/apis/apps/v1/deployments"
                                                 will return the total count of deployments
                                                 across all namespaces.
                                               type: string
+                                            method:
+                                              default: GET
+                                              description: Method is the HTTP request
+                                                type (GET or POST).
+                                              enum:
+                                              - GET
+                                              - POST
+                                              type: string
+                                            service:
+                                              description: Service is an API call
+                                                to a JSON web service
+                                              properties:
+                                                caBundle:
+                                                  description: CABundle is a PEM encoded
+                                                    CA bundle which will be used to
+                                                    validate the server certificate.
+                                                  type: string
+                                                url:
+                                                  description: URL is the JSON web
+                                                    service URL. A typical form is
+                                                    `https://{service}.{namespace}:{port}/{path}`.
+                                                  type: string
+                                              required:
+                                              - url
+                                              type: object
                                             urlPath:
                                               description: URLPath is the URL path
-                                                to be used in the HTTP GET request
-                                                to the Kubernetes API server (e.g.
-                                                "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                                to be used in the HTTP GET or POST
+                                                request to the Kubernetes API server
+                                                (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                 The format required is the same format
                                                 used by the `kubectl get --raw` command.
+                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                                for details.
                                               type: string
-                                          required:
-                                          - urlPath
                                           type: object
                                         configMap:
                                           description: ConfigMap is the ConfigMap
@@ -8256,6 +9036,15 @@ spec:
                                       that results in one or more elements to which
                                       the validation logic is applied.
                                     type: string
+                                  order:
+                                    description: Order defines the iteration order
+                                      on the list. Can be Ascending to iterate from
+                                      first to last element or Descending to iterate
+                                      in from last to first element.
+                                    enum:
+                                    - Ascending
+                                    - Descending
+                                    type: string
                                   patchStrategicMerge:
                                     description: PatchStrategicMerge is a strategic
                                       merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -8289,6 +9078,10 @@ spec:
                                                 (using JMESPath) for conditional rule
                                                 evaluation.
                                               x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
                                             operator:
                                               description: 'Operator is the conditional
                                                 operation to perform. Valid operators
@@ -8340,6 +9133,10 @@ spec:
                                                 (using JMESPath) for conditional rule
                                                 evaluation.
                                               x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
                                             operator:
                                               description: 'Operator is the conditional
                                                 operation to perform. Valid operators
@@ -8393,10 +9190,155 @@ spec:
                               description: Targets defines the target resources to
                                 be mutated.
                               items:
+                                description: TargetResourceSpec defines targets for
+                                  mutating existing resources.
                                 properties:
                                   apiVersion:
                                     description: APIVersion specifies resource apiVersion.
                                     type: string
+                                  context:
+                                    description: Context defines variables and data
+                                      sources that can be used during rule execution.
+                                    items:
+                                      description: ContextEntry adds variables and
+                                        data sources to a rule Context. Either a ConfigMap
+                                        reference or a APILookup must be provided.
+                                      properties:
+                                        apiCall:
+                                          description: APICall is an HTTP request
+                                            to the Kubernetes API server, or other
+                                            JSON web service. The data returned is
+                                            stored in the context with the name for
+                                            the context entry.
+                                          properties:
+                                            data:
+                                              description: Data specifies the POST
+                                                data sent to the server.
+                                              items:
+                                                description: RequestData contains
+                                                  the HTTP POST data
+                                                properties:
+                                                  key:
+                                                    description: Key is a unique identifier
+                                                      for the data value
+                                                    type: string
+                                                  value:
+                                                    description: Value is the data
+                                                      value
+                                                    x-kubernetes-preserve-unknown-fields: true
+                                                required:
+                                                - key
+                                                - value
+                                                type: object
+                                              type: array
+                                            jmesPath:
+                                              description: JMESPath is an optional
+                                                JSON Match Expression that can be
+                                                used to transform the JSON response
+                                                returned from the server. For example
+                                                a JMESPath of "items | length(@)"
+                                                applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments"
+                                                will return the total count of deployments
+                                                across all namespaces.
+                                              type: string
+                                            method:
+                                              default: GET
+                                              description: Method is the HTTP request
+                                                type (GET or POST).
+                                              enum:
+                                              - GET
+                                              - POST
+                                              type: string
+                                            service:
+                                              description: Service is an API call
+                                                to a JSON web service
+                                              properties:
+                                                caBundle:
+                                                  description: CABundle is a PEM encoded
+                                                    CA bundle which will be used to
+                                                    validate the server certificate.
+                                                  type: string
+                                                url:
+                                                  description: URL is the JSON web
+                                                    service URL. A typical form is
+                                                    `https://{service}.{namespace}:{port}/{path}`.
+                                                  type: string
+                                              required:
+                                              - url
+                                              type: object
+                                            urlPath:
+                                              description: URLPath is the URL path
+                                                to be used in the HTTP GET or POST
+                                                request to the Kubernetes API server
+                                                (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                                The format required is the same format
+                                                used by the `kubectl get --raw` command.
+                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                                for details.
+                                              type: string
+                                          type: object
+                                        configMap:
+                                          description: ConfigMap is the ConfigMap
+                                            reference.
+                                          properties:
+                                            name:
+                                              description: Name is the ConfigMap name.
+                                              type: string
+                                            namespace:
+                                              description: Namespace is the ConfigMap
+                                                namespace.
+                                              type: string
+                                          required:
+                                          - name
+                                          type: object
+                                        imageRegistry:
+                                          description: ImageRegistry defines requests
+                                            to an OCI/Docker V2 registry to fetch
+                                            image details.
+                                          properties:
+                                            jmesPath:
+                                              description: JMESPath is an optional
+                                                JSON Match Expression that can be
+                                                used to transform the ImageData struct
+                                                returned as a result of processing
+                                                the image reference.
+                                              type: string
+                                            reference:
+                                              description: 'Reference is image reference
+                                                to a container image in the registry.
+                                                Example: ghcr.io/kyverno/kyverno:latest'
+                                              type: string
+                                          required:
+                                          - reference
+                                          type: object
+                                        name:
+                                          description: Name is the variable name.
+                                          type: string
+                                        variable:
+                                          description: Variable defines an arbitrary
+                                            JMESPath context variable that can be
+                                            defined inline.
+                                          properties:
+                                            default:
+                                              description: Default is an optional
+                                                arbitrary JSON object that the variable
+                                                may take if the JMESPath expression
+                                                evaluates to nil
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            jmesPath:
+                                              description: JMESPath is an optional
+                                                JMESPath Expression that can be used
+                                                to transform the variable.
+                                              type: string
+                                            value:
+                                              description: Value is any arbitrary
+                                                JSON object representable in YAML
+                                                or JSON form.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                      type: object
+                                    type: array
                                   kind:
                                     description: Kind specifies resource kind.
                                     type: string
@@ -8406,6 +9348,16 @@ spec:
                                   namespace:
                                     description: Namespace specifies resource namespace.
                                     type: string
+                                  preconditions:
+                                    description: 'Preconditions are used to determine
+                                      if a policy rule should be applied by evaluating
+                                      a set of conditions. The declaration can contain
+                                      nested `any` or `all` statements. A direct list
+                                      of conditions (without `any` or `all` statements
+                                      is supported for backwards compatibility but
+                                      will be deprecated in the next major release.
+                                      See: https://kyverno.io/docs/writing-policies/preconditions/'
+                                    x-kubernetes-preserve-unknown-fields: true
                                 type: object
                               type: array
                           type: object
@@ -8449,10 +9401,10 @@ spec:
                                 in the list and looping over it to apply the specified
                                 logic.
                               items:
-                                description: ForEach applies validate rules to a list
-                                  of sub-elements by creating a context for each entry
-                                  in the list and looping over it to apply the specified
-                                  logic.
+                                description: ForEachValidation applies validate rules
+                                  to a list of sub-elements by creating a context
+                                  for each entry in the list and looping over it to
+                                  apply the specified logic.
                                 properties:
                                   anyPattern:
                                     description: AnyPattern specifies list of validation
@@ -8468,31 +9420,78 @@ spec:
                                         reference or a APILookup must be provided.
                                       properties:
                                         apiCall:
-                                          description: APICall defines an HTTP request
-                                            to the Kubernetes API server. The JSON
-                                            data retrieved is stored in the context.
+                                          description: APICall is an HTTP request
+                                            to the Kubernetes API server, or other
+                                            JSON web service. The data returned is
+                                            stored in the context with the name for
+                                            the context entry.
                                           properties:
+                                            data:
+                                              description: Data specifies the POST
+                                                data sent to the server.
+                                              items:
+                                                description: RequestData contains
+                                                  the HTTP POST data
+                                                properties:
+                                                  key:
+                                                    description: Key is a unique identifier
+                                                      for the data value
+                                                    type: string
+                                                  value:
+                                                    description: Value is the data
+                                                      value
+                                                    x-kubernetes-preserve-unknown-fields: true
+                                                required:
+                                                - key
+                                                - value
+                                                type: object
+                                              type: array
                                             jmesPath:
                                               description: JMESPath is an optional
                                                 JSON Match Expression that can be
                                                 used to transform the JSON response
-                                                returned from the API server. For
-                                                example a JMESPath of "items | length(@)"
+                                                returned from the server. For example
+                                                a JMESPath of "items | length(@)"
                                                 applied to the API server response
-                                                to the URLPath "/apis/apps/v1/deployments"
+                                                for the URLPath "/apis/apps/v1/deployments"
                                                 will return the total count of deployments
                                                 across all namespaces.
                                               type: string
+                                            method:
+                                              default: GET
+                                              description: Method is the HTTP request
+                                                type (GET or POST).
+                                              enum:
+                                              - GET
+                                              - POST
+                                              type: string
+                                            service:
+                                              description: Service is an API call
+                                                to a JSON web service
+                                              properties:
+                                                caBundle:
+                                                  description: CABundle is a PEM encoded
+                                                    CA bundle which will be used to
+                                                    validate the server certificate.
+                                                  type: string
+                                                url:
+                                                  description: URL is the JSON web
+                                                    service URL. A typical form is
+                                                    `https://{service}.{namespace}:{port}/{path}`.
+                                                  type: string
+                                              required:
+                                              - url
+                                              type: object
                                             urlPath:
                                               description: URLPath is the URL path
-                                                to be used in the HTTP GET request
-                                                to the Kubernetes API server (e.g.
-                                                "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                                to be used in the HTTP GET or POST
+                                                request to the Kubernetes API server
+                                                (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                 The format required is the same format
                                                 used by the `kubectl get --raw` command.
+                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                                for details.
                                               type: string
-                                          required:
-                                          - urlPath
                                           type: object
                                         configMap:
                                           description: ConfigMap is the ConfigMap
@@ -8611,6 +9610,10 @@ spec:
                                                 (using JMESPath) for conditional rule
                                                 evaluation.
                                               x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
                                             operator:
                                               description: 'Operator is the conditional
                                                 operation to perform. Valid operators
@@ -8662,6 +9665,10 @@ spec:
                                                 (using JMESPath) for conditional rule
                                                 evaluation.
                                               x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
                                             operator:
                                               description: 'Operator is the conditional
                                                 operation to perform. Valid operators
@@ -9021,7 +10028,7 @@ spec:
                                   description: Version defines the Pod Security Standard
                                     versions that Kubernetes supports. Allowed values
                                     are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
-                                    v1.25, latest. Defaults to latest.
+                                    v1.25, v1.26, latest. Defaults to latest.
                                   enum:
                                   - v1.19
                                   - v1.20
@@ -9030,6 +10037,7 @@ spec:
                                   - v1.23
                                   - v1.24
                                   - v1.25
+                                  - v1.26
                                   - latest
                                   type: string
                               type: object
@@ -9319,6 +10327,10 @@ spec:
                                                     entry (using JMESPath) for conditional
                                                     rule evaluation.
                                                   x-kubernetes-preserve-unknown-fields: true
+                                                message:
+                                                  description: Message is an optional
+                                                    display message
+                                                  type: string
                                                 operator:
                                                   description: 'Operator is the conditional
                                                     operation to perform. Valid operators
@@ -9371,6 +10383,10 @@ spec:
                                                     entry (using JMESPath) for conditional
                                                     rule evaluation.
                                                   x-kubernetes-preserve-unknown-fields: true
+                                                message:
+                                                  description: Message is an optional
+                                                    display message
+                                                  type: string
                                                 operator:
                                                   description: 'Operator is the conditional
                                                     operation to perform. Valid operators
@@ -9668,6 +10684,14 @@ spec:
                                   signing, for example an email address Deprecated.
                                   Use KeylessAttestor instead.
                                 type: string
+                              type:
+                                description: Type specifies the method of signature
+                                  validation. The allowed options are Cosign and Notary.
+                                  By default Cosign is used if a type is not specified.
+                                enum:
+                                - Cosign
+                                - Notary
+                                type: string
                               verifyDigest:
                                 default: true
                                 description: VerifyDigest validates that images have
@@ -9794,9 +10818,9 @@ spec:
       name: Failure Policy
       priority: 1
       type: string
-    - jsonPath: .status.ready
+    - jsonPath: .status.conditions[?(@.type == "Ready")].status
       name: Ready
-      type: boolean
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -9816,6 +10840,9 @@ spec:
       name: Verifyimages
       priority: 1
       type: integer
+    - jsonPath: .status.conditions[?(@.type == "Ready")].message
+      name: MESSAGE
+      type: string
     name: v2beta1
     schema:
       openAPIV3Schema:
@@ -9864,11 +10891,14 @@ spec:
                 - Ignore
                 - Fail
                 type: string
+              generateExisting:
+                description: GenerateExisting controls whether to trigger generate
+                  rule in existing resources If is set to "true" generate rule will
+                  be triggered and applied to existing matched resources. Defaults
+                  to "false" if not specified.
+                type: boolean
               generateExistingOnPolicyUpdate:
-                description: GenerateExistingOnPolicyUpdate controls whether to trigger
-                  generate rule in existing resources If is set to "true" generate
-                  rule will be triggered and applied to existing matched resources.
-                  Defaults to "false" if not specified.
+                description: Deprecated, use generateExisting instead
                 type: boolean
               mutateExistingOnPolicyUpdate:
                 description: MutateExistingOnPolicyUpdate controls if a mutateExisting
@@ -9892,28 +10922,70 @@ spec:
                           must be provided.
                         properties:
                           apiCall:
-                            description: APICall defines an HTTP request to the Kubernetes
-                              API server. The JSON data retrieved is stored in the
-                              context.
+                            description: APICall is an HTTP request to the Kubernetes
+                              API server, or other JSON web service. The data returned
+                              is stored in the context with the name for the context
+                              entry.
                             properties:
+                              data:
+                                description: Data specifies the POST data sent to
+                                  the server.
+                                items:
+                                  description: RequestData contains the HTTP POST
+                                    data
+                                  properties:
+                                    key:
+                                      description: Key is a unique identifier for
+                                        the data value
+                                      type: string
+                                    value:
+                                      description: Value is the data value
+                                      x-kubernetes-preserve-unknown-fields: true
+                                  required:
+                                  - key
+                                  - value
+                                  type: object
+                                type: array
                               jmesPath:
                                 description: JMESPath is an optional JSON Match Expression
                                   that can be used to transform the JSON response
-                                  returned from the API server. For example a JMESPath
+                                  returned from the server. For example a JMESPath
                                   of "items | length(@)" applied to the API server
-                                  response to the URLPath "/apis/apps/v1/deployments"
+                                  response for the URLPath "/apis/apps/v1/deployments"
                                   will return the total count of deployments across
                                   all namespaces.
                                 type: string
+                              method:
+                                default: GET
+                                description: Method is the HTTP request type (GET
+                                  or POST).
+                                enum:
+                                - GET
+                                - POST
+                                type: string
+                              service:
+                                description: Service is an API call to a JSON web
+                                  service
+                                properties:
+                                  caBundle:
+                                    description: CABundle is a PEM encoded CA bundle
+                                      which will be used to validate the server certificate.
+                                    type: string
+                                  url:
+                                    description: URL is the JSON web service URL.
+                                      A typical form is `https://{service}.{namespace}:{port}/{path}`.
+                                    type: string
+                                required:
+                                - url
+                                type: object
                               urlPath:
                                 description: URLPath is the URL path to be used in
-                                  the HTTP GET request to the Kubernetes API server
-                                  (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                  the HTTP GET or POST request to the Kubernetes API
+                                  server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                   The format required is the same format used by the
-                                  `kubectl get --raw` command.
+                                  `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                  for details.
                                 type: string
-                            required:
-                            - urlPath
                             type: object
                           configMap:
                             description: ConfigMap is the ConfigMap reference.
@@ -10085,6 +11157,21 @@ spec:
                                     items:
                                       type: string
                                     type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
                                   selector:
                                     description: 'Selector is a label selector. Label
                                       keys and values in `matchLabels` support the
@@ -10303,6 +11390,21 @@ spec:
                                     items:
                                       type: string
                                     type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
                                   selector:
                                     description: 'Selector is a label selector. Label
                                       keys and values in `matchLabels` support the
@@ -10518,6 +11620,15 @@ spec:
                       additionalProperties:
                         items:
                           properties:
+                            jmesPath:
+                              description: 'JMESPath is an optional JMESPath expression
+                                to apply to the image value. This is useful when the
+                                extracted image begins with a prefix like ''docker://''.
+                                The ''trim_prefix'' function may be used to trim the
+                                prefix: trim_prefix(@, ''docker://''). Note - Image
+                                digest mutation may not be used when applying a JMESPAth
+                                to an image.'
+                              type: string
                             key:
                               description: Key is an optional name of the field within
                                 'path' that will be used to uniquely identify an image.
@@ -10668,6 +11779,21 @@ spec:
                                     items:
                                       type: string
                                     type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
                                   selector:
                                     description: 'Selector is a label selector. Label
                                       keys and values in `matchLabels` support the
@@ -10886,6 +12012,21 @@ spec:
                                     items:
                                       type: string
                                     type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
                                   selector:
                                     description: 'Selector is a label selector. Label
                                       keys and values in `matchLabels` support the
@@ -11000,9 +12141,9 @@ spec:
                             sub-elements by creating a context for each entry in the
                             list and looping over it to apply the specified logic.
                           items:
-                            description: ForEach applies mutation rules to a list
-                              of sub-elements by creating a context for each entry
-                              in the list and looping over it to apply the specified
+                            description: ForEachMutation applies mutation rules to
+                              a list of sub-elements by creating a context for each
+                              entry in the list and looping over it to apply the specified
                               logic.
                             properties:
                               context:
@@ -11014,30 +12155,74 @@ spec:
                                     reference or a APILookup must be provided.
                                   properties:
                                     apiCall:
-                                      description: APICall defines an HTTP request
-                                        to the Kubernetes API server. The JSON data
-                                        retrieved is stored in the context.
+                                      description: APICall is an HTTP request to the
+                                        Kubernetes API server, or other JSON web service.
+                                        The data returned is stored in the context
+                                        with the name for the context entry.
                                       properties:
+                                        data:
+                                          description: Data specifies the POST data
+                                            sent to the server.
+                                          items:
+                                            description: RequestData contains the
+                                              HTTP POST data
+                                            properties:
+                                              key:
+                                                description: Key is a unique identifier
+                                                  for the data value
+                                                type: string
+                                              value:
+                                                description: Value is the data value
+                                                x-kubernetes-preserve-unknown-fields: true
+                                            required:
+                                            - key
+                                            - value
+                                            type: object
+                                          type: array
                                         jmesPath:
                                           description: JMESPath is an optional JSON
                                             Match Expression that can be used to transform
-                                            the JSON response returned from the API
-                                            server. For example a JMESPath of "items
-                                            | length(@)" applied to the API server
-                                            response to the URLPath "/apis/apps/v1/deployments"
+                                            the JSON response returned from the server.
+                                            For example a JMESPath of "items | length(@)"
+                                            applied to the API server response for
+                                            the URLPath "/apis/apps/v1/deployments"
                                             will return the total count of deployments
                                             across all namespaces.
                                           type: string
+                                        method:
+                                          default: GET
+                                          description: Method is the HTTP request
+                                            type (GET or POST).
+                                          enum:
+                                          - GET
+                                          - POST
+                                          type: string
+                                        service:
+                                          description: Service is an API call to a
+                                            JSON web service
+                                          properties:
+                                            caBundle:
+                                              description: CABundle is a PEM encoded
+                                                CA bundle which will be used to validate
+                                                the server certificate.
+                                              type: string
+                                            url:
+                                              description: URL is the JSON web service
+                                                URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+                                              type: string
+                                          required:
+                                          - url
+                                          type: object
                                         urlPath:
                                           description: URLPath is the URL path to
-                                            be used in the HTTP GET request to the
-                                            Kubernetes API server (e.g. "/api/v1/namespaces"
+                                            be used in the HTTP GET or POST request
+                                            to the Kubernetes API server (e.g. "/api/v1/namespaces"
                                             or  "/apis/apps/v1/deployments"). The
                                             format required is the same format used
-                                            by the `kubectl get --raw` command.
+                                            by the `kubectl get --raw` command. See
+                                            https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                            for details.
                                           type: string
-                                      required:
-                                      - urlPath
                                       type: object
                                     configMap:
                                       description: ConfigMap is the ConfigMap reference.
@@ -11104,6 +12289,15 @@ spec:
                                   that results in one or more elements to which the
                                   validation logic is applied.
                                 type: string
+                              order:
+                                description: Order defines the iteration order on
+                                  the list. Can be Ascending to iterate from first
+                                  to last element or Descending to iterate in from
+                                  last to first element.
+                                enum:
+                                - Ascending
+                                - Descending
+                                type: string
                               patchStrategicMerge:
                                 description: PatchStrategicMerge is a strategic merge
                                   patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -11135,6 +12329,10 @@ spec:
                                           description: Key is the context entry (using
                                             JMESPath) for conditional rule evaluation.
                                           x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
                                         operator:
                                           description: 'Operator is the conditional
                                             operation to perform. Valid operators
@@ -11184,6 +12382,10 @@ spec:
                                           description: Key is the context entry (using
                                             JMESPath) for conditional rule evaluation.
                                           x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
                                         operator:
                                           description: 'Operator is the conditional
                                             operation to perform. Valid operators
@@ -11236,10 +12438,147 @@ spec:
                           description: Targets defines the target resources to be
                             mutated.
                           items:
+                            description: TargetResourceSpec defines targets for mutating
+                              existing resources.
                             properties:
                               apiVersion:
                                 description: APIVersion specifies resource apiVersion.
                                 type: string
+                              context:
+                                description: Context defines variables and data sources
+                                  that can be used during rule execution.
+                                items:
+                                  description: ContextEntry adds variables and data
+                                    sources to a rule Context. Either a ConfigMap
+                                    reference or a APILookup must be provided.
+                                  properties:
+                                    apiCall:
+                                      description: APICall is an HTTP request to the
+                                        Kubernetes API server, or other JSON web service.
+                                        The data returned is stored in the context
+                                        with the name for the context entry.
+                                      properties:
+                                        data:
+                                          description: Data specifies the POST data
+                                            sent to the server.
+                                          items:
+                                            description: RequestData contains the
+                                              HTTP POST data
+                                            properties:
+                                              key:
+                                                description: Key is a unique identifier
+                                                  for the data value
+                                                type: string
+                                              value:
+                                                description: Value is the data value
+                                                x-kubernetes-preserve-unknown-fields: true
+                                            required:
+                                            - key
+                                            - value
+                                            type: object
+                                          type: array
+                                        jmesPath:
+                                          description: JMESPath is an optional JSON
+                                            Match Expression that can be used to transform
+                                            the JSON response returned from the server.
+                                            For example a JMESPath of "items | length(@)"
+                                            applied to the API server response for
+                                            the URLPath "/apis/apps/v1/deployments"
+                                            will return the total count of deployments
+                                            across all namespaces.
+                                          type: string
+                                        method:
+                                          default: GET
+                                          description: Method is the HTTP request
+                                            type (GET or POST).
+                                          enum:
+                                          - GET
+                                          - POST
+                                          type: string
+                                        service:
+                                          description: Service is an API call to a
+                                            JSON web service
+                                          properties:
+                                            caBundle:
+                                              description: CABundle is a PEM encoded
+                                                CA bundle which will be used to validate
+                                                the server certificate.
+                                              type: string
+                                            url:
+                                              description: URL is the JSON web service
+                                                URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+                                              type: string
+                                          required:
+                                          - url
+                                          type: object
+                                        urlPath:
+                                          description: URLPath is the URL path to
+                                            be used in the HTTP GET or POST request
+                                            to the Kubernetes API server (e.g. "/api/v1/namespaces"
+                                            or  "/apis/apps/v1/deployments"). The
+                                            format required is the same format used
+                                            by the `kubectl get --raw` command. See
+                                            https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                            for details.
+                                          type: string
+                                      type: object
+                                    configMap:
+                                      description: ConfigMap is the ConfigMap reference.
+                                      properties:
+                                        name:
+                                          description: Name is the ConfigMap name.
+                                          type: string
+                                        namespace:
+                                          description: Namespace is the ConfigMap
+                                            namespace.
+                                          type: string
+                                      required:
+                                      - name
+                                      type: object
+                                    imageRegistry:
+                                      description: ImageRegistry defines requests
+                                        to an OCI/Docker V2 registry to fetch image
+                                        details.
+                                      properties:
+                                        jmesPath:
+                                          description: JMESPath is an optional JSON
+                                            Match Expression that can be used to transform
+                                            the ImageData struct returned as a result
+                                            of processing the image reference.
+                                          type: string
+                                        reference:
+                                          description: 'Reference is image reference
+                                            to a container image in the registry.
+                                            Example: ghcr.io/kyverno/kyverno:latest'
+                                          type: string
+                                      required:
+                                      - reference
+                                      type: object
+                                    name:
+                                      description: Name is the variable name.
+                                      type: string
+                                    variable:
+                                      description: Variable defines an arbitrary JMESPath
+                                        context variable that can be defined inline.
+                                      properties:
+                                        default:
+                                          description: Default is an optional arbitrary
+                                            JSON object that the variable may take
+                                            if the JMESPath expression evaluates to
+                                            nil
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        jmesPath:
+                                          description: JMESPath is an optional JMESPath
+                                            Expression that can be used to transform
+                                            the variable.
+                                          type: string
+                                        value:
+                                          description: Value is any arbitrary JSON
+                                            object representable in YAML or JSON form.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                  type: object
+                                type: array
                               kind:
                                 description: Kind specifies resource kind.
                                 type: string
@@ -11249,6 +12588,15 @@ spec:
                               namespace:
                                 description: Namespace specifies resource namespace.
                                 type: string
+                              preconditions:
+                                description: 'Preconditions are used to determine
+                                  if a policy rule should be applied by evaluating
+                                  a set of conditions. The declaration can contain
+                                  nested `any` or `all` statements. A direct list
+                                  of conditions (without `any` or `all` statements
+                                  is supported for backwards compatibility but will
+                                  be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+                                x-kubernetes-preserve-unknown-fields: true
                             type: object
                           type: array
                       type: object
@@ -11276,6 +12624,9 @@ spec:
                                 description: Key is the context entry (using JMESPath)
                                   for conditional rule evaluation.
                                 x-kubernetes-preserve-unknown-fields: true
+                              message:
+                                description: Message is an optional display message
+                                type: string
                               operator:
                                 description: 'Operator is the conditional operation
                                   to perform. Valid operators are: Equals, NotEquals,
@@ -11317,6 +12668,9 @@ spec:
                                 description: Key is the context entry (using JMESPath)
                                   for conditional rule evaluation.
                                 x-kubernetes-preserve-unknown-fields: true
+                              message:
+                                description: Message is an optional display message
+                                type: string
                               operator:
                                 description: 'Operator is the conditional operation
                                   to perform. Valid operators are: Equals, NotEquals,
@@ -11377,6 +12731,10 @@ spec:
                                         description: Key is the context entry (using
                                           JMESPath) for conditional rule evaluation.
                                         x-kubernetes-preserve-unknown-fields: true
+                                      message:
+                                        description: Message is an optional display
+                                          message
+                                        type: string
                                       operator:
                                         description: 'Operator is the conditional
                                           operation to perform. Valid operators are:
@@ -11420,6 +12778,10 @@ spec:
                                         description: Key is the context entry (using
                                           JMESPath) for conditional rule evaluation.
                                         x-kubernetes-preserve-unknown-fields: true
+                                      message:
+                                        description: Message is an optional display
+                                          message
+                                        type: string
                                       operator:
                                         description: 'Operator is the conditional
                                           operation to perform. Valid operators are:
@@ -11458,10 +12820,10 @@ spec:
                             sub-elements by creating a context for each entry in the
                             list and looping over it to apply the specified logic.
                           items:
-                            description: ForEach applies validate rules to a list
-                              of sub-elements by creating a context for each entry
-                              in the list and looping over it to apply the specified
-                              logic.
+                            description: ForEachValidation applies validate rules
+                              to a list of sub-elements by creating a context for
+                              each entry in the list and looping over it to apply
+                              the specified logic.
                             properties:
                               anyPattern:
                                 description: AnyPattern specifies list of validation
@@ -11477,30 +12839,74 @@ spec:
                                     reference or a APILookup must be provided.
                                   properties:
                                     apiCall:
-                                      description: APICall defines an HTTP request
-                                        to the Kubernetes API server. The JSON data
-                                        retrieved is stored in the context.
+                                      description: APICall is an HTTP request to the
+                                        Kubernetes API server, or other JSON web service.
+                                        The data returned is stored in the context
+                                        with the name for the context entry.
                                       properties:
+                                        data:
+                                          description: Data specifies the POST data
+                                            sent to the server.
+                                          items:
+                                            description: RequestData contains the
+                                              HTTP POST data
+                                            properties:
+                                              key:
+                                                description: Key is a unique identifier
+                                                  for the data value
+                                                type: string
+                                              value:
+                                                description: Value is the data value
+                                                x-kubernetes-preserve-unknown-fields: true
+                                            required:
+                                            - key
+                                            - value
+                                            type: object
+                                          type: array
                                         jmesPath:
                                           description: JMESPath is an optional JSON
                                             Match Expression that can be used to transform
-                                            the JSON response returned from the API
-                                            server. For example a JMESPath of "items
-                                            | length(@)" applied to the API server
-                                            response to the URLPath "/apis/apps/v1/deployments"
+                                            the JSON response returned from the server.
+                                            For example a JMESPath of "items | length(@)"
+                                            applied to the API server response for
+                                            the URLPath "/apis/apps/v1/deployments"
                                             will return the total count of deployments
                                             across all namespaces.
                                           type: string
+                                        method:
+                                          default: GET
+                                          description: Method is the HTTP request
+                                            type (GET or POST).
+                                          enum:
+                                          - GET
+                                          - POST
+                                          type: string
+                                        service:
+                                          description: Service is an API call to a
+                                            JSON web service
+                                          properties:
+                                            caBundle:
+                                              description: CABundle is a PEM encoded
+                                                CA bundle which will be used to validate
+                                                the server certificate.
+                                              type: string
+                                            url:
+                                              description: URL is the JSON web service
+                                                URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+                                              type: string
+                                          required:
+                                          - url
+                                          type: object
                                         urlPath:
                                           description: URLPath is the URL path to
-                                            be used in the HTTP GET request to the
-                                            Kubernetes API server (e.g. "/api/v1/namespaces"
+                                            be used in the HTTP GET or POST request
+                                            to the Kubernetes API server (e.g. "/api/v1/namespaces"
                                             or  "/apis/apps/v1/deployments"). The
                                             format required is the same format used
-                                            by the `kubectl get --raw` command.
+                                            by the `kubectl get --raw` command. See
+                                            https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                            for details.
                                           type: string
-                                      required:
-                                      - urlPath
                                       type: object
                                     configMap:
                                       description: ConfigMap is the ConfigMap reference.
@@ -11613,6 +13019,10 @@ spec:
                                           description: Key is the context entry (using
                                             JMESPath) for conditional rule evaluation.
                                           x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
                                         operator:
                                           description: 'Operator is the conditional
                                             operation to perform. Valid operators
@@ -11662,6 +13072,10 @@ spec:
                                           description: Key is the context entry (using
                                             JMESPath) for conditional rule evaluation.
                                           x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
                                         operator:
                                           description: 'Operator is the conditional
                                             operation to perform. Valid operators
@@ -12009,7 +13423,7 @@ spec:
                               description: Version defines the Pod Security Standard
                                 versions that Kubernetes supports. Allowed values
                                 are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25,
-                                latest. Defaults to latest.
+                                v1.26, latest. Defaults to latest.
                               enum:
                               - v1.19
                               - v1.20
@@ -12018,6 +13432,7 @@ spec:
                               - v1.23
                               - v1.24
                               - v1.25
+                              - v1.26
                               - latest
                               type: string
                           type: object
@@ -12272,6 +13687,10 @@ spec:
                                                 (using JMESPath) for conditional rule
                                                 evaluation.
                                               x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
                                             operator:
                                               description: 'Operator is the conditional
                                                 operation to perform. Valid operators
@@ -12323,6 +13742,10 @@ spec:
                                                 (using JMESPath) for conditional rule
                                                 evaluation.
                                               x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
                                             operator:
                                               description: 'Operator is the conditional
                                                 operation to perform. Valid operators
@@ -12586,6 +14009,14 @@ spec:
                               i.e. have matched passed a signature or attestation
                               check.
                             type: boolean
+                          type:
+                            description: Type specifies the method of signature validation.
+                              The allowed options are Cosign and Notary. By default
+                              Cosign is used if a type is not specified.
+                            enum:
+                            - Cosign
+                            - Notary
+                            type: string
                           verifyDigest:
                             default: true
                             description: VerifyDigest validates that images have a
@@ -12628,6 +14059,54 @@ spec:
                       - Audit
                       - Enforce
                       type: string
+                    namespaceSelector:
+                      description: A label selector is a label query over a set of
+                        resources. The result of matchLabels and matchExpressions
+                        are ANDed. An empty label selector matches all objects. A
+                        null label selector matches no objects.
+                      properties:
+                        matchExpressions:
+                          description: matchExpressions is a list of label selector
+                            requirements. The requirements are ANDed.
+                          items:
+                            description: A label selector requirement is a selector
+                              that contains values, a key, and an operator that relates
+                              the key and values.
+                            properties:
+                              key:
+                                description: key is the label key that the selector
+                                  applies to.
+                                type: string
+                              operator:
+                                description: operator represents a key's relationship
+                                  to a set of values. Valid operators are In, NotIn,
+                                  Exists and DoesNotExist.
+                                type: string
+                              values:
+                                description: values is an array of string values.
+                                  If the operator is In or NotIn, the values array
+                                  must be non-empty. If the operator is Exists or
+                                  DoesNotExist, the values array must be empty. This
+                                  array is replaced during a strategic merge patch.
+                                items:
+                                  type: string
+                                type: array
+                            required:
+                            - key
+                            - operator
+                            type: object
+                          type: array
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          description: matchLabels is a map of {key,value} pairs.
+                            A single {key,value} in the matchLabels map is equivalent
+                            to an element of matchExpressions, whose key field is
+                            "key", the operator is "In", and the values array contains
+                            only "value". The requirements are ANDed.
+                          type: object
+                      type: object
+                      x-kubernetes-map-type: atomic
                     namespaces:
                       items:
                         type: string
@@ -12667,28 +14146,71 @@ spec:
                               APILookup must be provided.
                             properties:
                               apiCall:
-                                description: APICall defines an HTTP request to the
-                                  Kubernetes API server. The JSON data retrieved is
-                                  stored in the context.
+                                description: APICall is an HTTP request to the Kubernetes
+                                  API server, or other JSON web service. The data
+                                  returned is stored in the context with the name
+                                  for the context entry.
                                 properties:
+                                  data:
+                                    description: Data specifies the POST data sent
+                                      to the server.
+                                    items:
+                                      description: RequestData contains the HTTP POST
+                                        data
+                                      properties:
+                                        key:
+                                          description: Key is a unique identifier
+                                            for the data value
+                                          type: string
+                                        value:
+                                          description: Value is the data value
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      required:
+                                      - key
+                                      - value
+                                      type: object
+                                    type: array
                                   jmesPath:
                                     description: JMESPath is an optional JSON Match
                                       Expression that can be used to transform the
-                                      JSON response returned from the API server.
-                                      For example a JMESPath of "items | length(@)"
-                                      applied to the API server response to the URLPath
-                                      "/apis/apps/v1/deployments" will return the
-                                      total count of deployments across all namespaces.
+                                      JSON response returned from the server. For
+                                      example a JMESPath of "items | length(@)" applied
+                                      to the API server response for the URLPath "/apis/apps/v1/deployments"
+                                      will return the total count of deployments across
+                                      all namespaces.
                                     type: string
+                                  method:
+                                    default: GET
+                                    description: Method is the HTTP request type (GET
+                                      or POST).
+                                    enum:
+                                    - GET
+                                    - POST
+                                    type: string
+                                  service:
+                                    description: Service is an API call to a JSON
+                                      web service
+                                    properties:
+                                      caBundle:
+                                        description: CABundle is a PEM encoded CA
+                                          bundle which will be used to validate the
+                                          server certificate.
+                                        type: string
+                                      url:
+                                        description: URL is the JSON web service URL.
+                                          A typical form is `https://{service}.{namespace}:{port}/{path}`.
+                                        type: string
+                                    required:
+                                    - url
+                                    type: object
                                   urlPath:
                                     description: URLPath is the URL path to be used
-                                      in the HTTP GET request to the Kubernetes API
-                                      server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                      in the HTTP GET or POST request to the Kubernetes
+                                      API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                       The format required is the same format used
-                                      by the `kubectl get --raw` command.
+                                      by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                      for details.
                                     type: string
-                                required:
-                                - urlPath
                                 type: object
                               configMap:
                                 description: ConfigMap is the ConfigMap reference.
@@ -12866,6 +14388,22 @@ spec:
                                         items:
                                           type: string
                                         type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
                                       selector:
                                         description: 'Selector is a label selector.
                                           Label keys and values in `matchLabels` support
@@ -13091,6 +14629,22 @@ spec:
                                         items:
                                           type: string
                                         type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
                                       selector:
                                         description: 'Selector is a label selector.
                                           Label keys and values in `matchLabels` support
@@ -13310,6 +14864,21 @@ spec:
                                   items:
                                     type: string
                                   type: array
+                                operations:
+                                  description: Operations can contain values ["CREATE,
+                                    "UPDATE", "CONNECT", "DELETE"], which are used
+                                    to match a specific action.
+                                  items:
+                                    description: AdmissionOperation can have one of
+                                      the values CREATE, UPDATE, CONNECT, DELETE,
+                                      which are used to match a specific action.
+                                    enum:
+                                    - CREATE
+                                    - CONNECT
+                                    - UPDATE
+                                    - DELETE
+                                    type: string
+                                  type: array
                                 selector:
                                   description: 'Selector is a label selector. Label
                                     keys and values in `matchLabels` support the wildcard
@@ -13530,6 +15099,15 @@ spec:
                           additionalProperties:
                             items:
                               properties:
+                                jmesPath:
+                                  description: 'JMESPath is an optional JMESPath expression
+                                    to apply to the image value. This is useful when
+                                    the extracted image begins with a prefix like
+                                    ''docker://''. The ''trim_prefix'' function may
+                                    be used to trim the prefix: trim_prefix(@, ''docker://'').
+                                    Note - Image digest mutation may not be used when
+                                    applying a JMESPAth to an image.'
+                                  type: string
                                 key:
                                   description: Key is an optional name of the field
                                     within 'path' that will be used to uniquely identify
@@ -13683,6 +15261,22 @@ spec:
                                         items:
                                           type: string
                                         type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
                                       selector:
                                         description: 'Selector is a label selector.
                                           Label keys and values in `matchLabels` support
@@ -13908,6 +15502,22 @@ spec:
                                         items:
                                           type: string
                                         type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
                                       selector:
                                         description: 'Selector is a label selector.
                                           Label keys and values in `matchLabels` support
@@ -14127,6 +15737,21 @@ spec:
                                   items:
                                     type: string
                                   type: array
+                                operations:
+                                  description: Operations can contain values ["CREATE,
+                                    "UPDATE", "CONNECT", "DELETE"], which are used
+                                    to match a specific action.
+                                  items:
+                                    description: AdmissionOperation can have one of
+                                      the values CREATE, UPDATE, CONNECT, DELETE,
+                                      which are used to match a specific action.
+                                    enum:
+                                    - CREATE
+                                    - CONNECT
+                                    - UPDATE
+                                    - DELETE
+                                    type: string
+                                  type: array
                                 selector:
                                   description: 'Selector is a label selector. Label
                                     keys and values in `matchLabels` support the wildcard
@@ -14239,10 +15864,10 @@ spec:
                                 in the list and looping over it to apply the specified
                                 logic.
                               items:
-                                description: ForEach applies mutation rules to a list
-                                  of sub-elements by creating a context for each entry
-                                  in the list and looping over it to apply the specified
-                                  logic.
+                                description: ForEachMutation applies mutation rules
+                                  to a list of sub-elements by creating a context
+                                  for each entry in the list and looping over it to
+                                  apply the specified logic.
                                 properties:
                                   context:
                                     description: Context defines variables and data
@@ -14253,31 +15878,78 @@ spec:
                                         reference or a APILookup must be provided.
                                       properties:
                                         apiCall:
-                                          description: APICall defines an HTTP request
-                                            to the Kubernetes API server. The JSON
-                                            data retrieved is stored in the context.
+                                          description: APICall is an HTTP request
+                                            to the Kubernetes API server, or other
+                                            JSON web service. The data returned is
+                                            stored in the context with the name for
+                                            the context entry.
                                           properties:
+                                            data:
+                                              description: Data specifies the POST
+                                                data sent to the server.
+                                              items:
+                                                description: RequestData contains
+                                                  the HTTP POST data
+                                                properties:
+                                                  key:
+                                                    description: Key is a unique identifier
+                                                      for the data value
+                                                    type: string
+                                                  value:
+                                                    description: Value is the data
+                                                      value
+                                                    x-kubernetes-preserve-unknown-fields: true
+                                                required:
+                                                - key
+                                                - value
+                                                type: object
+                                              type: array
                                             jmesPath:
                                               description: JMESPath is an optional
                                                 JSON Match Expression that can be
                                                 used to transform the JSON response
-                                                returned from the API server. For
-                                                example a JMESPath of "items | length(@)"
+                                                returned from the server. For example
+                                                a JMESPath of "items | length(@)"
                                                 applied to the API server response
-                                                to the URLPath "/apis/apps/v1/deployments"
+                                                for the URLPath "/apis/apps/v1/deployments"
                                                 will return the total count of deployments
                                                 across all namespaces.
                                               type: string
+                                            method:
+                                              default: GET
+                                              description: Method is the HTTP request
+                                                type (GET or POST).
+                                              enum:
+                                              - GET
+                                              - POST
+                                              type: string
+                                            service:
+                                              description: Service is an API call
+                                                to a JSON web service
+                                              properties:
+                                                caBundle:
+                                                  description: CABundle is a PEM encoded
+                                                    CA bundle which will be used to
+                                                    validate the server certificate.
+                                                  type: string
+                                                url:
+                                                  description: URL is the JSON web
+                                                    service URL. A typical form is
+                                                    `https://{service}.{namespace}:{port}/{path}`.
+                                                  type: string
+                                              required:
+                                              - url
+                                              type: object
                                             urlPath:
                                               description: URLPath is the URL path
-                                                to be used in the HTTP GET request
-                                                to the Kubernetes API server (e.g.
-                                                "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                                to be used in the HTTP GET or POST
+                                                request to the Kubernetes API server
+                                                (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                 The format required is the same format
                                                 used by the `kubectl get --raw` command.
+                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                                for details.
                                               type: string
-                                          required:
-                                          - urlPath
                                           type: object
                                         configMap:
                                           description: ConfigMap is the ConfigMap
@@ -14349,6 +16021,15 @@ spec:
                                       that results in one or more elements to which
                                       the validation logic is applied.
                                     type: string
+                                  order:
+                                    description: Order defines the iteration order
+                                      on the list. Can be Ascending to iterate from
+                                      first to last element or Descending to iterate
+                                      in from last to first element.
+                                    enum:
+                                    - Ascending
+                                    - Descending
+                                    type: string
                                   patchStrategicMerge:
                                     description: PatchStrategicMerge is a strategic
                                       merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -14382,6 +16063,10 @@ spec:
                                                 (using JMESPath) for conditional rule
                                                 evaluation.
                                               x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
                                             operator:
                                               description: 'Operator is the conditional
                                                 operation to perform. Valid operators
@@ -14433,6 +16118,10 @@ spec:
                                                 (using JMESPath) for conditional rule
                                                 evaluation.
                                               x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
                                             operator:
                                               description: 'Operator is the conditional
                                                 operation to perform. Valid operators
@@ -14486,10 +16175,155 @@ spec:
                               description: Targets defines the target resources to
                                 be mutated.
                               items:
+                                description: TargetResourceSpec defines targets for
+                                  mutating existing resources.
                                 properties:
                                   apiVersion:
                                     description: APIVersion specifies resource apiVersion.
                                     type: string
+                                  context:
+                                    description: Context defines variables and data
+                                      sources that can be used during rule execution.
+                                    items:
+                                      description: ContextEntry adds variables and
+                                        data sources to a rule Context. Either a ConfigMap
+                                        reference or a APILookup must be provided.
+                                      properties:
+                                        apiCall:
+                                          description: APICall is an HTTP request
+                                            to the Kubernetes API server, or other
+                                            JSON web service. The data returned is
+                                            stored in the context with the name for
+                                            the context entry.
+                                          properties:
+                                            data:
+                                              description: Data specifies the POST
+                                                data sent to the server.
+                                              items:
+                                                description: RequestData contains
+                                                  the HTTP POST data
+                                                properties:
+                                                  key:
+                                                    description: Key is a unique identifier
+                                                      for the data value
+                                                    type: string
+                                                  value:
+                                                    description: Value is the data
+                                                      value
+                                                    x-kubernetes-preserve-unknown-fields: true
+                                                required:
+                                                - key
+                                                - value
+                                                type: object
+                                              type: array
+                                            jmesPath:
+                                              description: JMESPath is an optional
+                                                JSON Match Expression that can be
+                                                used to transform the JSON response
+                                                returned from the server. For example
+                                                a JMESPath of "items | length(@)"
+                                                applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments"
+                                                will return the total count of deployments
+                                                across all namespaces.
+                                              type: string
+                                            method:
+                                              default: GET
+                                              description: Method is the HTTP request
+                                                type (GET or POST).
+                                              enum:
+                                              - GET
+                                              - POST
+                                              type: string
+                                            service:
+                                              description: Service is an API call
+                                                to a JSON web service
+                                              properties:
+                                                caBundle:
+                                                  description: CABundle is a PEM encoded
+                                                    CA bundle which will be used to
+                                                    validate the server certificate.
+                                                  type: string
+                                                url:
+                                                  description: URL is the JSON web
+                                                    service URL. A typical form is
+                                                    `https://{service}.{namespace}:{port}/{path}`.
+                                                  type: string
+                                              required:
+                                              - url
+                                              type: object
+                                            urlPath:
+                                              description: URLPath is the URL path
+                                                to be used in the HTTP GET or POST
+                                                request to the Kubernetes API server
+                                                (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                                The format required is the same format
+                                                used by the `kubectl get --raw` command.
+                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                                for details.
+                                              type: string
+                                          type: object
+                                        configMap:
+                                          description: ConfigMap is the ConfigMap
+                                            reference.
+                                          properties:
+                                            name:
+                                              description: Name is the ConfigMap name.
+                                              type: string
+                                            namespace:
+                                              description: Namespace is the ConfigMap
+                                                namespace.
+                                              type: string
+                                          required:
+                                          - name
+                                          type: object
+                                        imageRegistry:
+                                          description: ImageRegistry defines requests
+                                            to an OCI/Docker V2 registry to fetch
+                                            image details.
+                                          properties:
+                                            jmesPath:
+                                              description: JMESPath is an optional
+                                                JSON Match Expression that can be
+                                                used to transform the ImageData struct
+                                                returned as a result of processing
+                                                the image reference.
+                                              type: string
+                                            reference:
+                                              description: 'Reference is image reference
+                                                to a container image in the registry.
+                                                Example: ghcr.io/kyverno/kyverno:latest'
+                                              type: string
+                                          required:
+                                          - reference
+                                          type: object
+                                        name:
+                                          description: Name is the variable name.
+                                          type: string
+                                        variable:
+                                          description: Variable defines an arbitrary
+                                            JMESPath context variable that can be
+                                            defined inline.
+                                          properties:
+                                            default:
+                                              description: Default is an optional
+                                                arbitrary JSON object that the variable
+                                                may take if the JMESPath expression
+                                                evaluates to nil
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            jmesPath:
+                                              description: JMESPath is an optional
+                                                JMESPath Expression that can be used
+                                                to transform the variable.
+                                              type: string
+                                            value:
+                                              description: Value is any arbitrary
+                                                JSON object representable in YAML
+                                                or JSON form.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                      type: object
+                                    type: array
                                   kind:
                                     description: Kind specifies resource kind.
                                     type: string
@@ -14499,6 +16333,16 @@ spec:
                                   namespace:
                                     description: Namespace specifies resource namespace.
                                     type: string
+                                  preconditions:
+                                    description: 'Preconditions are used to determine
+                                      if a policy rule should be applied by evaluating
+                                      a set of conditions. The declaration can contain
+                                      nested `any` or `all` statements. A direct list
+                                      of conditions (without `any` or `all` statements
+                                      is supported for backwards compatibility but
+                                      will be deprecated in the next major release.
+                                      See: https://kyverno.io/docs/writing-policies/preconditions/'
+                                    x-kubernetes-preserve-unknown-fields: true
                                 type: object
                               type: array
                           type: object
@@ -14542,10 +16386,10 @@ spec:
                                 in the list and looping over it to apply the specified
                                 logic.
                               items:
-                                description: ForEach applies validate rules to a list
-                                  of sub-elements by creating a context for each entry
-                                  in the list and looping over it to apply the specified
-                                  logic.
+                                description: ForEachValidation applies validate rules
+                                  to a list of sub-elements by creating a context
+                                  for each entry in the list and looping over it to
+                                  apply the specified logic.
                                 properties:
                                   anyPattern:
                                     description: AnyPattern specifies list of validation
@@ -14561,31 +16405,78 @@ spec:
                                         reference or a APILookup must be provided.
                                       properties:
                                         apiCall:
-                                          description: APICall defines an HTTP request
-                                            to the Kubernetes API server. The JSON
-                                            data retrieved is stored in the context.
+                                          description: APICall is an HTTP request
+                                            to the Kubernetes API server, or other
+                                            JSON web service. The data returned is
+                                            stored in the context with the name for
+                                            the context entry.
                                           properties:
+                                            data:
+                                              description: Data specifies the POST
+                                                data sent to the server.
+                                              items:
+                                                description: RequestData contains
+                                                  the HTTP POST data
+                                                properties:
+                                                  key:
+                                                    description: Key is a unique identifier
+                                                      for the data value
+                                                    type: string
+                                                  value:
+                                                    description: Value is the data
+                                                      value
+                                                    x-kubernetes-preserve-unknown-fields: true
+                                                required:
+                                                - key
+                                                - value
+                                                type: object
+                                              type: array
                                             jmesPath:
                                               description: JMESPath is an optional
                                                 JSON Match Expression that can be
                                                 used to transform the JSON response
-                                                returned from the API server. For
-                                                example a JMESPath of "items | length(@)"
+                                                returned from the server. For example
+                                                a JMESPath of "items | length(@)"
                                                 applied to the API server response
-                                                to the URLPath "/apis/apps/v1/deployments"
+                                                for the URLPath "/apis/apps/v1/deployments"
                                                 will return the total count of deployments
                                                 across all namespaces.
                                               type: string
+                                            method:
+                                              default: GET
+                                              description: Method is the HTTP request
+                                                type (GET or POST).
+                                              enum:
+                                              - GET
+                                              - POST
+                                              type: string
+                                            service:
+                                              description: Service is an API call
+                                                to a JSON web service
+                                              properties:
+                                                caBundle:
+                                                  description: CABundle is a PEM encoded
+                                                    CA bundle which will be used to
+                                                    validate the server certificate.
+                                                  type: string
+                                                url:
+                                                  description: URL is the JSON web
+                                                    service URL. A typical form is
+                                                    `https://{service}.{namespace}:{port}/{path}`.
+                                                  type: string
+                                              required:
+                                              - url
+                                              type: object
                                             urlPath:
                                               description: URLPath is the URL path
-                                                to be used in the HTTP GET request
-                                                to the Kubernetes API server (e.g.
-                                                "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                                to be used in the HTTP GET or POST
+                                                request to the Kubernetes API server
+                                                (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                 The format required is the same format
                                                 used by the `kubectl get --raw` command.
+                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                                for details.
                                               type: string
-                                          required:
-                                          - urlPath
                                           type: object
                                         configMap:
                                           description: ConfigMap is the ConfigMap
@@ -14704,6 +16595,10 @@ spec:
                                                 (using JMESPath) for conditional rule
                                                 evaluation.
                                               x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
                                             operator:
                                               description: 'Operator is the conditional
                                                 operation to perform. Valid operators
@@ -14755,6 +16650,10 @@ spec:
                                                 (using JMESPath) for conditional rule
                                                 evaluation.
                                               x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
                                             operator:
                                               description: 'Operator is the conditional
                                                 operation to perform. Valid operators
@@ -15114,7 +17013,7 @@ spec:
                                   description: Version defines the Pod Security Standard
                                     versions that Kubernetes supports. Allowed values
                                     are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
-                                    v1.25, latest. Defaults to latest.
+                                    v1.25, v1.26, latest. Defaults to latest.
                                   enum:
                                   - v1.19
                                   - v1.20
@@ -15123,6 +17022,7 @@ spec:
                                   - v1.23
                                   - v1.24
                                   - v1.25
+                                  - v1.26
                                   - latest
                                   type: string
                               type: object
@@ -15412,6 +17312,10 @@ spec:
                                                     entry (using JMESPath) for conditional
                                                     rule evaluation.
                                                   x-kubernetes-preserve-unknown-fields: true
+                                                message:
+                                                  description: Message is an optional
+                                                    display message
+                                                  type: string
                                                 operator:
                                                   description: 'Operator is the conditional
                                                     operation to perform. Valid operators
@@ -15464,6 +17368,10 @@ spec:
                                                     entry (using JMESPath) for conditional
                                                     rule evaluation.
                                                   x-kubernetes-preserve-unknown-fields: true
+                                                message:
+                                                  description: Message is an optional
+                                                    display message
+                                                  type: string
                                                 operator:
                                                   description: 'Operator is the conditional
                                                     operation to perform. Valid operators
@@ -15761,6 +17669,14 @@ spec:
                                   signing, for example an email address Deprecated.
                                   Use KeylessAttestor instead.
                                 type: string
+                              type:
+                                description: Type specifies the method of signature
+                                  validation. The allowed options are Cosign and Notary.
+                                  By default Cosign is used if a type is not specified.
+                                enum:
+                                - Cosign
+                                - Notary
+                                type: string
                               verifyDigest:
                                 default: true
                                 description: VerifyDigest validates that images have
@@ -15881,200 +17797,12 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
+    controller-gen.kubebuilder.io/version: v0.11.3
     {{- with .Values.crds.annotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
   labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
-  name: generaterequests.kyverno.io
-spec:
-  group: kyverno.io
-  names:
-    kind: GenerateRequest
-    listKind: GenerateRequestList
-    plural: generaterequests
-    shortNames:
-    - gr
-    singular: generaterequest
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .spec.policy
-      name: Policy
-      type: string
-    - jsonPath: .spec.resource.kind
-      name: ResourceKind
-      type: string
-    - jsonPath: .spec.resource.name
-      name: ResourceName
-      type: string
-    - jsonPath: .spec.resource.namespace
-      name: ResourceNamespace
-      type: string
-    - jsonPath: .status.state
-      name: status
-      type: string
-    - jsonPath: .metadata.creationTimestamp
-      name: Age
-      type: date
-    name: v1
-    schema:
-      openAPIV3Schema:
-        description: GenerateRequest is a request to process generate rule.
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: Spec is the information to identify the generate request.
-            properties:
-              context:
-                description: Context ...
-                properties:
-                  admissionRequestInfo:
-                    description: AdmissionRequestInfoObject stores the admission request
-                      and operation details
-                    properties:
-                      admissionRequest:
-                        type: string
-                      operation:
-                        description: Operation is the type of resource operation being
-                          checked for admission control
-                        type: string
-                    type: object
-                  userInfo:
-                    description: RequestInfo contains permission info carried in an
-                      admission request.
-                    properties:
-                      clusterRoles:
-                        description: ClusterRoles is a list of possible clusterRoles
-                          send the request.
-                        items:
-                          type: string
-                        nullable: true
-                        type: array
-                      roles:
-                        description: Roles is a list of possible role send the request.
-                        items:
-                          type: string
-                        nullable: true
-                        type: array
-                      userInfo:
-                        description: UserInfo is the userInfo carried in the admission
-                          request.
-                        properties:
-                          extra:
-                            additionalProperties:
-                              description: ExtraValue masks the value so protobuf
-                                can generate
-                              items:
-                                type: string
-                              type: array
-                            description: Any additional information provided by the
-                              authenticator.
-                            type: object
-                          groups:
-                            description: The names of groups this user is a part of.
-                            items:
-                              type: string
-                            type: array
-                          uid:
-                            description: A unique value that identifies this user
-                              across time. If this user is deleted and another user
-                              by the same name is added, they will have different
-                              UIDs.
-                            type: string
-                          username:
-                            description: The name that uniquely identifies this user
-                              among all active users.
-                            type: string
-                        type: object
-                    type: object
-                type: object
-              policy:
-                description: Specifies the name of the policy.
-                type: string
-              resource:
-                description: ResourceSpec is the information to identify the generate
-                  request.
-                properties:
-                  apiVersion:
-                    description: APIVersion specifies resource apiVersion.
-                    type: string
-                  kind:
-                    description: Kind specifies resource kind.
-                    type: string
-                  name:
-                    description: Name specifies the resource name.
-                    type: string
-                  namespace:
-                    description: Namespace specifies resource namespace.
-                    type: string
-                type: object
-            required:
-            - context
-            - policy
-            - resource
-            type: object
-          status:
-            description: Status contains statistics related to generate request.
-            properties:
-              generatedResources:
-                description: This will track the resources that are generated by the
-                  generate Policy. Will be used during clean up resources.
-                items:
-                  properties:
-                    apiVersion:
-                      description: APIVersion specifies resource apiVersion.
-                      type: string
-                    kind:
-                      description: Kind specifies resource kind.
-                      type: string
-                    name:
-                      description: Name specifies the resource name.
-                      type: string
-                    namespace:
-                      description: Namespace specifies resource namespace.
-                      type: string
-                  type: object
-                type: array
-              message:
-                description: Specifies request status message.
-                type: string
-              state:
-                description: State represents state of the generate request.
-                type: string
-            required:
-            - state
-            type: object
-        required:
-        - spec
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-    {{- with .Values.crds.annotations }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-  labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
+    {{- include "kyverno.crds.labels" . | nindent 4 }}
   name: policies.kyverno.io
 spec:
   group: kyverno.io
@@ -16100,9 +17828,9 @@ spec:
       name: Failure Policy
       priority: 1
       type: string
-    - jsonPath: .status.ready
+    - jsonPath: .status.conditions[?(@.type == "Ready")].status
       name: Ready
-      type: boolean
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -16122,6 +17850,9 @@ spec:
       name: Verifyimages
       priority: 1
       type: integer
+    - jsonPath: .status.conditions[?(@.type == "Ready")].message
+      name: MESSAGE
+      type: string
     name: v1
     schema:
       openAPIV3Schema:
@@ -16172,11 +17903,14 @@ spec:
                 - Ignore
                 - Fail
                 type: string
+              generateExisting:
+                description: GenerateExisting controls whether to trigger generate
+                  rule in existing resources If is set to "true" generate rule will
+                  be triggered and applied to existing matched resources. Defaults
+                  to "false" if not specified.
+                type: boolean
               generateExistingOnPolicyUpdate:
-                description: GenerateExistingOnPolicyUpdate controls whether to trigger
-                  generate rule in existing resources If is set to "true" generate
-                  rule will be triggered and applied to existing matched resources.
-                  Defaults to "false" if not specified.
+                description: Deprecated, use generateExisting instead
                 type: boolean
               mutateExistingOnPolicyUpdate:
                 description: MutateExistingOnPolicyUpdate controls if a mutateExisting
@@ -16200,28 +17934,70 @@ spec:
                           must be provided.
                         properties:
                           apiCall:
-                            description: APICall defines an HTTP request to the Kubernetes
-                              API server. The JSON data retrieved is stored in the
-                              context.
+                            description: APICall is an HTTP request to the Kubernetes
+                              API server, or other JSON web service. The data returned
+                              is stored in the context with the name for the context
+                              entry.
                             properties:
+                              data:
+                                description: Data specifies the POST data sent to
+                                  the server.
+                                items:
+                                  description: RequestData contains the HTTP POST
+                                    data
+                                  properties:
+                                    key:
+                                      description: Key is a unique identifier for
+                                        the data value
+                                      type: string
+                                    value:
+                                      description: Value is the data value
+                                      x-kubernetes-preserve-unknown-fields: true
+                                  required:
+                                  - key
+                                  - value
+                                  type: object
+                                type: array
                               jmesPath:
                                 description: JMESPath is an optional JSON Match Expression
                                   that can be used to transform the JSON response
-                                  returned from the API server. For example a JMESPath
+                                  returned from the server. For example a JMESPath
                                   of "items | length(@)" applied to the API server
-                                  response to the URLPath "/apis/apps/v1/deployments"
+                                  response for the URLPath "/apis/apps/v1/deployments"
                                   will return the total count of deployments across
                                   all namespaces.
                                 type: string
+                              method:
+                                default: GET
+                                description: Method is the HTTP request type (GET
+                                  or POST).
+                                enum:
+                                - GET
+                                - POST
+                                type: string
+                              service:
+                                description: Service is an API call to a JSON web
+                                  service
+                                properties:
+                                  caBundle:
+                                    description: CABundle is a PEM encoded CA bundle
+                                      which will be used to validate the server certificate.
+                                    type: string
+                                  url:
+                                    description: URL is the JSON web service URL.
+                                      A typical form is `https://{service}.{namespace}:{port}/{path}`.
+                                    type: string
+                                required:
+                                - url
+                                type: object
                               urlPath:
                                 description: URLPath is the URL path to be used in
-                                  the HTTP GET request to the Kubernetes API server
-                                  (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                  the HTTP GET or POST request to the Kubernetes API
+                                  server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                   The format required is the same format used by the
-                                  `kubectl get --raw` command.
+                                  `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                  for details.
                                 type: string
-                            required:
-                            - urlPath
                             type: object
                           configMap:
                             description: ConfigMap is the ConfigMap reference.
@@ -16393,6 +18169,21 @@ spec:
                                     items:
                                       type: string
                                     type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
                                   selector:
                                     description: 'Selector is a label selector. Label
                                       keys and values in `matchLabels` support the
@@ -16611,6 +18402,21 @@ spec:
                                     items:
                                       type: string
                                     type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
                                   selector:
                                     description: 'Selector is a label selector. Label
                                       keys and values in `matchLabels` support the
@@ -16817,6 +18623,21 @@ spec:
                               items:
                                 type: string
                               type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
                             selector:
                               description: 'Selector is a label selector. Label keys
                                 and values in `matchLabels` support the wildcard characters
@@ -17024,6 +18845,15 @@ spec:
                       additionalProperties:
                         items:
                           properties:
+                            jmesPath:
+                              description: 'JMESPath is an optional JMESPath expression
+                                to apply to the image value. This is useful when the
+                                extracted image begins with a prefix like ''docker://''.
+                                The ''trim_prefix'' function may be used to trim the
+                                prefix: trim_prefix(@, ''docker://''). Note - Image
+                                digest mutation may not be used when applying a JMESPAth
+                                to an image.'
+                              type: string
                             key:
                               description: Key is an optional name of the field within
                                 'path' that will be used to uniquely identify an image.
@@ -17174,6 +19004,21 @@ spec:
                                     items:
                                       type: string
                                     type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
                                   selector:
                                     description: 'Selector is a label selector. Label
                                       keys and values in `matchLabels` support the
@@ -17392,6 +19237,21 @@ spec:
                                     items:
                                       type: string
                                     type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
                                   selector:
                                     description: 'Selector is a label selector. Label
                                       keys and values in `matchLabels` support the
@@ -17598,6 +19458,21 @@ spec:
                               items:
                                 type: string
                               type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
                             selector:
                               description: 'Selector is a label selector. Label keys
                                 and values in `matchLabels` support the wildcard characters
@@ -17704,9 +19579,9 @@ spec:
                             sub-elements by creating a context for each entry in the
                             list and looping over it to apply the specified logic.
                           items:
-                            description: ForEach applies mutation rules to a list
-                              of sub-elements by creating a context for each entry
-                              in the list and looping over it to apply the specified
+                            description: ForEachMutation applies mutation rules to
+                              a list of sub-elements by creating a context for each
+                              entry in the list and looping over it to apply the specified
                               logic.
                             properties:
                               context:
@@ -17718,30 +19593,74 @@ spec:
                                     reference or a APILookup must be provided.
                                   properties:
                                     apiCall:
-                                      description: APICall defines an HTTP request
-                                        to the Kubernetes API server. The JSON data
-                                        retrieved is stored in the context.
+                                      description: APICall is an HTTP request to the
+                                        Kubernetes API server, or other JSON web service.
+                                        The data returned is stored in the context
+                                        with the name for the context entry.
                                       properties:
+                                        data:
+                                          description: Data specifies the POST data
+                                            sent to the server.
+                                          items:
+                                            description: RequestData contains the
+                                              HTTP POST data
+                                            properties:
+                                              key:
+                                                description: Key is a unique identifier
+                                                  for the data value
+                                                type: string
+                                              value:
+                                                description: Value is the data value
+                                                x-kubernetes-preserve-unknown-fields: true
+                                            required:
+                                            - key
+                                            - value
+                                            type: object
+                                          type: array
                                         jmesPath:
                                           description: JMESPath is an optional JSON
                                             Match Expression that can be used to transform
-                                            the JSON response returned from the API
-                                            server. For example a JMESPath of "items
-                                            | length(@)" applied to the API server
-                                            response to the URLPath "/apis/apps/v1/deployments"
+                                            the JSON response returned from the server.
+                                            For example a JMESPath of "items | length(@)"
+                                            applied to the API server response for
+                                            the URLPath "/apis/apps/v1/deployments"
                                             will return the total count of deployments
                                             across all namespaces.
                                           type: string
+                                        method:
+                                          default: GET
+                                          description: Method is the HTTP request
+                                            type (GET or POST).
+                                          enum:
+                                          - GET
+                                          - POST
+                                          type: string
+                                        service:
+                                          description: Service is an API call to a
+                                            JSON web service
+                                          properties:
+                                            caBundle:
+                                              description: CABundle is a PEM encoded
+                                                CA bundle which will be used to validate
+                                                the server certificate.
+                                              type: string
+                                            url:
+                                              description: URL is the JSON web service
+                                                URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+                                              type: string
+                                          required:
+                                          - url
+                                          type: object
                                         urlPath:
                                           description: URLPath is the URL path to
-                                            be used in the HTTP GET request to the
-                                            Kubernetes API server (e.g. "/api/v1/namespaces"
+                                            be used in the HTTP GET or POST request
+                                            to the Kubernetes API server (e.g. "/api/v1/namespaces"
                                             or  "/apis/apps/v1/deployments"). The
                                             format required is the same format used
-                                            by the `kubectl get --raw` command.
+                                            by the `kubectl get --raw` command. See
+                                            https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                            for details.
                                           type: string
-                                      required:
-                                      - urlPath
                                       type: object
                                     configMap:
                                       description: ConfigMap is the ConfigMap reference.
@@ -17808,6 +19727,15 @@ spec:
                                   that results in one or more elements to which the
                                   validation logic is applied.
                                 type: string
+                              order:
+                                description: Order defines the iteration order on
+                                  the list. Can be Ascending to iterate from first
+                                  to last element or Descending to iterate in from
+                                  last to first element.
+                                enum:
+                                - Ascending
+                                - Descending
+                                type: string
                               patchStrategicMerge:
                                 description: PatchStrategicMerge is a strategic merge
                                   patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -17839,6 +19767,10 @@ spec:
                                           description: Key is the context entry (using
                                             JMESPath) for conditional rule evaluation.
                                           x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
                                         operator:
                                           description: 'Operator is the conditional
                                             operation to perform. Valid operators
@@ -17888,6 +19820,10 @@ spec:
                                           description: Key is the context entry (using
                                             JMESPath) for conditional rule evaluation.
                                           x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
                                         operator:
                                           description: 'Operator is the conditional
                                             operation to perform. Valid operators
@@ -17940,10 +19876,147 @@ spec:
                           description: Targets defines the target resources to be
                             mutated.
                           items:
+                            description: TargetResourceSpec defines targets for mutating
+                              existing resources.
                             properties:
                               apiVersion:
                                 description: APIVersion specifies resource apiVersion.
                                 type: string
+                              context:
+                                description: Context defines variables and data sources
+                                  that can be used during rule execution.
+                                items:
+                                  description: ContextEntry adds variables and data
+                                    sources to a rule Context. Either a ConfigMap
+                                    reference or a APILookup must be provided.
+                                  properties:
+                                    apiCall:
+                                      description: APICall is an HTTP request to the
+                                        Kubernetes API server, or other JSON web service.
+                                        The data returned is stored in the context
+                                        with the name for the context entry.
+                                      properties:
+                                        data:
+                                          description: Data specifies the POST data
+                                            sent to the server.
+                                          items:
+                                            description: RequestData contains the
+                                              HTTP POST data
+                                            properties:
+                                              key:
+                                                description: Key is a unique identifier
+                                                  for the data value
+                                                type: string
+                                              value:
+                                                description: Value is the data value
+                                                x-kubernetes-preserve-unknown-fields: true
+                                            required:
+                                            - key
+                                            - value
+                                            type: object
+                                          type: array
+                                        jmesPath:
+                                          description: JMESPath is an optional JSON
+                                            Match Expression that can be used to transform
+                                            the JSON response returned from the server.
+                                            For example a JMESPath of "items | length(@)"
+                                            applied to the API server response for
+                                            the URLPath "/apis/apps/v1/deployments"
+                                            will return the total count of deployments
+                                            across all namespaces.
+                                          type: string
+                                        method:
+                                          default: GET
+                                          description: Method is the HTTP request
+                                            type (GET or POST).
+                                          enum:
+                                          - GET
+                                          - POST
+                                          type: string
+                                        service:
+                                          description: Service is an API call to a
+                                            JSON web service
+                                          properties:
+                                            caBundle:
+                                              description: CABundle is a PEM encoded
+                                                CA bundle which will be used to validate
+                                                the server certificate.
+                                              type: string
+                                            url:
+                                              description: URL is the JSON web service
+                                                URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+                                              type: string
+                                          required:
+                                          - url
+                                          type: object
+                                        urlPath:
+                                          description: URLPath is the URL path to
+                                            be used in the HTTP GET or POST request
+                                            to the Kubernetes API server (e.g. "/api/v1/namespaces"
+                                            or  "/apis/apps/v1/deployments"). The
+                                            format required is the same format used
+                                            by the `kubectl get --raw` command. See
+                                            https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                            for details.
+                                          type: string
+                                      type: object
+                                    configMap:
+                                      description: ConfigMap is the ConfigMap reference.
+                                      properties:
+                                        name:
+                                          description: Name is the ConfigMap name.
+                                          type: string
+                                        namespace:
+                                          description: Namespace is the ConfigMap
+                                            namespace.
+                                          type: string
+                                      required:
+                                      - name
+                                      type: object
+                                    imageRegistry:
+                                      description: ImageRegistry defines requests
+                                        to an OCI/Docker V2 registry to fetch image
+                                        details.
+                                      properties:
+                                        jmesPath:
+                                          description: JMESPath is an optional JSON
+                                            Match Expression that can be used to transform
+                                            the ImageData struct returned as a result
+                                            of processing the image reference.
+                                          type: string
+                                        reference:
+                                          description: 'Reference is image reference
+                                            to a container image in the registry.
+                                            Example: ghcr.io/kyverno/kyverno:latest'
+                                          type: string
+                                      required:
+                                      - reference
+                                      type: object
+                                    name:
+                                      description: Name is the variable name.
+                                      type: string
+                                    variable:
+                                      description: Variable defines an arbitrary JMESPath
+                                        context variable that can be defined inline.
+                                      properties:
+                                        default:
+                                          description: Default is an optional arbitrary
+                                            JSON object that the variable may take
+                                            if the JMESPath expression evaluates to
+                                            nil
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        jmesPath:
+                                          description: JMESPath is an optional JMESPath
+                                            Expression that can be used to transform
+                                            the variable.
+                                          type: string
+                                        value:
+                                          description: Value is any arbitrary JSON
+                                            object representable in YAML or JSON form.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                  type: object
+                                type: array
                               kind:
                                 description: Kind specifies resource kind.
                                 type: string
@@ -17953,6 +20026,15 @@ spec:
                               namespace:
                                 description: Namespace specifies resource namespace.
                                 type: string
+                              preconditions:
+                                description: 'Preconditions are used to determine
+                                  if a policy rule should be applied by evaluating
+                                  a set of conditions. The declaration can contain
+                                  nested `any` or `all` statements. A direct list
+                                  of conditions (without `any` or `all` statements
+                                  is supported for backwards compatibility but will
+                                  be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+                                x-kubernetes-preserve-unknown-fields: true
                             type: object
                           type: array
                       type: object
@@ -17994,10 +20076,10 @@ spec:
                             sub-elements by creating a context for each entry in the
                             list and looping over it to apply the specified logic.
                           items:
-                            description: ForEach applies validate rules to a list
-                              of sub-elements by creating a context for each entry
-                              in the list and looping over it to apply the specified
-                              logic.
+                            description: ForEachValidation applies validate rules
+                              to a list of sub-elements by creating a context for
+                              each entry in the list and looping over it to apply
+                              the specified logic.
                             properties:
                               anyPattern:
                                 description: AnyPattern specifies list of validation
@@ -18013,30 +20095,74 @@ spec:
                                     reference or a APILookup must be provided.
                                   properties:
                                     apiCall:
-                                      description: APICall defines an HTTP request
-                                        to the Kubernetes API server. The JSON data
-                                        retrieved is stored in the context.
+                                      description: APICall is an HTTP request to the
+                                        Kubernetes API server, or other JSON web service.
+                                        The data returned is stored in the context
+                                        with the name for the context entry.
                                       properties:
+                                        data:
+                                          description: Data specifies the POST data
+                                            sent to the server.
+                                          items:
+                                            description: RequestData contains the
+                                              HTTP POST data
+                                            properties:
+                                              key:
+                                                description: Key is a unique identifier
+                                                  for the data value
+                                                type: string
+                                              value:
+                                                description: Value is the data value
+                                                x-kubernetes-preserve-unknown-fields: true
+                                            required:
+                                            - key
+                                            - value
+                                            type: object
+                                          type: array
                                         jmesPath:
                                           description: JMESPath is an optional JSON
                                             Match Expression that can be used to transform
-                                            the JSON response returned from the API
-                                            server. For example a JMESPath of "items
-                                            | length(@)" applied to the API server
-                                            response to the URLPath "/apis/apps/v1/deployments"
+                                            the JSON response returned from the server.
+                                            For example a JMESPath of "items | length(@)"
+                                            applied to the API server response for
+                                            the URLPath "/apis/apps/v1/deployments"
                                             will return the total count of deployments
                                             across all namespaces.
                                           type: string
+                                        method:
+                                          default: GET
+                                          description: Method is the HTTP request
+                                            type (GET or POST).
+                                          enum:
+                                          - GET
+                                          - POST
+                                          type: string
+                                        service:
+                                          description: Service is an API call to a
+                                            JSON web service
+                                          properties:
+                                            caBundle:
+                                              description: CABundle is a PEM encoded
+                                                CA bundle which will be used to validate
+                                                the server certificate.
+                                              type: string
+                                            url:
+                                              description: URL is the JSON web service
+                                                URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+                                              type: string
+                                          required:
+                                          - url
+                                          type: object
                                         urlPath:
                                           description: URLPath is the URL path to
-                                            be used in the HTTP GET request to the
-                                            Kubernetes API server (e.g. "/api/v1/namespaces"
+                                            be used in the HTTP GET or POST request
+                                            to the Kubernetes API server (e.g. "/api/v1/namespaces"
                                             or  "/apis/apps/v1/deployments"). The
                                             format required is the same format used
-                                            by the `kubectl get --raw` command.
+                                            by the `kubectl get --raw` command. See
+                                            https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                            for details.
                                           type: string
-                                      required:
-                                      - urlPath
                                       type: object
                                     configMap:
                                       description: ConfigMap is the ConfigMap reference.
@@ -18149,6 +20275,10 @@ spec:
                                           description: Key is the context entry (using
                                             JMESPath) for conditional rule evaluation.
                                           x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
                                         operator:
                                           description: 'Operator is the conditional
                                             operation to perform. Valid operators
@@ -18198,6 +20328,10 @@ spec:
                                           description: Key is the context entry (using
                                             JMESPath) for conditional rule evaluation.
                                           x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
                                         operator:
                                           description: 'Operator is the conditional
                                             operation to perform. Valid operators
@@ -18545,7 +20679,7 @@ spec:
                               description: Version defines the Pod Security Standard
                                 versions that Kubernetes supports. Allowed values
                                 are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25,
-                                latest. Defaults to latest.
+                                v1.26, latest. Defaults to latest.
                               enum:
                               - v1.19
                               - v1.20
@@ -18554,6 +20688,7 @@ spec:
                               - v1.23
                               - v1.24
                               - v1.25
+                              - v1.26
                               - latest
                               type: string
                           type: object
@@ -18823,6 +20958,10 @@ spec:
                                                 (using JMESPath) for conditional rule
                                                 evaluation.
                                               x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
                                             operator:
                                               description: 'Operator is the conditional
                                                 operation to perform. Valid operators
@@ -18874,6 +21013,10 @@ spec:
                                                 (using JMESPath) for conditional rule
                                                 evaluation.
                                               x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
                                             operator:
                                               description: 'Operator is the conditional
                                                 operation to perform. Valid operators
@@ -19162,6 +21305,14 @@ spec:
                               signing, for example an email address Deprecated. Use
                               KeylessAttestor instead.
                             type: string
+                          type:
+                            description: Type specifies the method of signature validation.
+                              The allowed options are Cosign and Notary. By default
+                              Cosign is used if a type is not specified.
+                            enum:
+                            - Cosign
+                            - Notary
+                            type: string
                           verifyDigest:
                             default: true
                             description: VerifyDigest validates that images have a
@@ -19204,6 +21355,54 @@ spec:
                       - Audit
                       - Enforce
                       type: string
+                    namespaceSelector:
+                      description: A label selector is a label query over a set of
+                        resources. The result of matchLabels and matchExpressions
+                        are ANDed. An empty label selector matches all objects. A
+                        null label selector matches no objects.
+                      properties:
+                        matchExpressions:
+                          description: matchExpressions is a list of label selector
+                            requirements. The requirements are ANDed.
+                          items:
+                            description: A label selector requirement is a selector
+                              that contains values, a key, and an operator that relates
+                              the key and values.
+                            properties:
+                              key:
+                                description: key is the label key that the selector
+                                  applies to.
+                                type: string
+                              operator:
+                                description: operator represents a key's relationship
+                                  to a set of values. Valid operators are In, NotIn,
+                                  Exists and DoesNotExist.
+                                type: string
+                              values:
+                                description: values is an array of string values.
+                                  If the operator is In or NotIn, the values array
+                                  must be non-empty. If the operator is Exists or
+                                  DoesNotExist, the values array must be empty. This
+                                  array is replaced during a strategic merge patch.
+                                items:
+                                  type: string
+                                type: array
+                            required:
+                            - key
+                            - operator
+                            type: object
+                          type: array
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          description: matchLabels is a map of {key,value} pairs.
+                            A single {key,value} in the matchLabels map is equivalent
+                            to an element of matchExpressions, whose key field is
+                            "key", the operator is "In", and the values array contains
+                            only "value". The requirements are ANDed.
+                          type: object
+                      type: object
+                      x-kubernetes-map-type: atomic
                     namespaces:
                       items:
                         type: string
@@ -19244,28 +21443,71 @@ spec:
                               APILookup must be provided.
                             properties:
                               apiCall:
-                                description: APICall defines an HTTP request to the
-                                  Kubernetes API server. The JSON data retrieved is
-                                  stored in the context.
+                                description: APICall is an HTTP request to the Kubernetes
+                                  API server, or other JSON web service. The data
+                                  returned is stored in the context with the name
+                                  for the context entry.
                                 properties:
+                                  data:
+                                    description: Data specifies the POST data sent
+                                      to the server.
+                                    items:
+                                      description: RequestData contains the HTTP POST
+                                        data
+                                      properties:
+                                        key:
+                                          description: Key is a unique identifier
+                                            for the data value
+                                          type: string
+                                        value:
+                                          description: Value is the data value
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      required:
+                                      - key
+                                      - value
+                                      type: object
+                                    type: array
                                   jmesPath:
                                     description: JMESPath is an optional JSON Match
                                       Expression that can be used to transform the
-                                      JSON response returned from the API server.
-                                      For example a JMESPath of "items | length(@)"
-                                      applied to the API server response to the URLPath
-                                      "/apis/apps/v1/deployments" will return the
-                                      total count of deployments across all namespaces.
+                                      JSON response returned from the server. For
+                                      example a JMESPath of "items | length(@)" applied
+                                      to the API server response for the URLPath "/apis/apps/v1/deployments"
+                                      will return the total count of deployments across
+                                      all namespaces.
                                     type: string
+                                  method:
+                                    default: GET
+                                    description: Method is the HTTP request type (GET
+                                      or POST).
+                                    enum:
+                                    - GET
+                                    - POST
+                                    type: string
+                                  service:
+                                    description: Service is an API call to a JSON
+                                      web service
+                                    properties:
+                                      caBundle:
+                                        description: CABundle is a PEM encoded CA
+                                          bundle which will be used to validate the
+                                          server certificate.
+                                        type: string
+                                      url:
+                                        description: URL is the JSON web service URL.
+                                          A typical form is `https://{service}.{namespace}:{port}/{path}`.
+                                        type: string
+                                    required:
+                                    - url
+                                    type: object
                                   urlPath:
                                     description: URLPath is the URL path to be used
-                                      in the HTTP GET request to the Kubernetes API
-                                      server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                      in the HTTP GET or POST request to the Kubernetes
+                                      API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                       The format required is the same format used
-                                      by the `kubectl get --raw` command.
+                                      by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                      for details.
                                     type: string
-                                required:
-                                - urlPath
                                 type: object
                               configMap:
                                 description: ConfigMap is the ConfigMap reference.
@@ -19443,6 +21685,22 @@ spec:
                                         items:
                                           type: string
                                         type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
                                       selector:
                                         description: 'Selector is a label selector.
                                           Label keys and values in `matchLabels` support
@@ -19668,6 +21926,22 @@ spec:
                                         items:
                                           type: string
                                         type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
                                       selector:
                                         description: 'Selector is a label selector.
                                           Label keys and values in `matchLabels` support
@@ -19887,6 +22161,21 @@ spec:
                                   items:
                                     type: string
                                   type: array
+                                operations:
+                                  description: Operations can contain values ["CREATE,
+                                    "UPDATE", "CONNECT", "DELETE"], which are used
+                                    to match a specific action.
+                                  items:
+                                    description: AdmissionOperation can have one of
+                                      the values CREATE, UPDATE, CONNECT, DELETE,
+                                      which are used to match a specific action.
+                                    enum:
+                                    - CREATE
+                                    - CONNECT
+                                    - UPDATE
+                                    - DELETE
+                                    type: string
+                                  type: array
                                 selector:
                                   description: 'Selector is a label selector. Label
                                     keys and values in `matchLabels` support the wildcard
@@ -20107,6 +22396,15 @@ spec:
                           additionalProperties:
                             items:
                               properties:
+                                jmesPath:
+                                  description: 'JMESPath is an optional JMESPath expression
+                                    to apply to the image value. This is useful when
+                                    the extracted image begins with a prefix like
+                                    ''docker://''. The ''trim_prefix'' function may
+                                    be used to trim the prefix: trim_prefix(@, ''docker://'').
+                                    Note - Image digest mutation may not be used when
+                                    applying a JMESPAth to an image.'
+                                  type: string
                                 key:
                                   description: Key is an optional name of the field
                                     within 'path' that will be used to uniquely identify
@@ -20260,6 +22558,22 @@ spec:
                                         items:
                                           type: string
                                         type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
                                       selector:
                                         description: 'Selector is a label selector.
                                           Label keys and values in `matchLabels` support
@@ -20485,6 +22799,22 @@ spec:
                                         items:
                                           type: string
                                         type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
                                       selector:
                                         description: 'Selector is a label selector.
                                           Label keys and values in `matchLabels` support
@@ -20704,6 +23034,21 @@ spec:
                                   items:
                                     type: string
                                   type: array
+                                operations:
+                                  description: Operations can contain values ["CREATE,
+                                    "UPDATE", "CONNECT", "DELETE"], which are used
+                                    to match a specific action.
+                                  items:
+                                    description: AdmissionOperation can have one of
+                                      the values CREATE, UPDATE, CONNECT, DELETE,
+                                      which are used to match a specific action.
+                                    enum:
+                                    - CREATE
+                                    - CONNECT
+                                    - UPDATE
+                                    - DELETE
+                                    type: string
+                                  type: array
                                 selector:
                                   description: 'Selector is a label selector. Label
                                     keys and values in `matchLabels` support the wildcard
@@ -20816,10 +23161,10 @@ spec:
                                 in the list and looping over it to apply the specified
                                 logic.
                               items:
-                                description: ForEach applies mutation rules to a list
-                                  of sub-elements by creating a context for each entry
-                                  in the list and looping over it to apply the specified
-                                  logic.
+                                description: ForEachMutation applies mutation rules
+                                  to a list of sub-elements by creating a context
+                                  for each entry in the list and looping over it to
+                                  apply the specified logic.
                                 properties:
                                   context:
                                     description: Context defines variables and data
@@ -20830,31 +23175,78 @@ spec:
                                         reference or a APILookup must be provided.
                                       properties:
                                         apiCall:
-                                          description: APICall defines an HTTP request
-                                            to the Kubernetes API server. The JSON
-                                            data retrieved is stored in the context.
+                                          description: APICall is an HTTP request
+                                            to the Kubernetes API server, or other
+                                            JSON web service. The data returned is
+                                            stored in the context with the name for
+                                            the context entry.
                                           properties:
+                                            data:
+                                              description: Data specifies the POST
+                                                data sent to the server.
+                                              items:
+                                                description: RequestData contains
+                                                  the HTTP POST data
+                                                properties:
+                                                  key:
+                                                    description: Key is a unique identifier
+                                                      for the data value
+                                                    type: string
+                                                  value:
+                                                    description: Value is the data
+                                                      value
+                                                    x-kubernetes-preserve-unknown-fields: true
+                                                required:
+                                                - key
+                                                - value
+                                                type: object
+                                              type: array
                                             jmesPath:
                                               description: JMESPath is an optional
                                                 JSON Match Expression that can be
                                                 used to transform the JSON response
-                                                returned from the API server. For
-                                                example a JMESPath of "items | length(@)"
+                                                returned from the server. For example
+                                                a JMESPath of "items | length(@)"
                                                 applied to the API server response
-                                                to the URLPath "/apis/apps/v1/deployments"
+                                                for the URLPath "/apis/apps/v1/deployments"
                                                 will return the total count of deployments
                                                 across all namespaces.
                                               type: string
+                                            method:
+                                              default: GET
+                                              description: Method is the HTTP request
+                                                type (GET or POST).
+                                              enum:
+                                              - GET
+                                              - POST
+                                              type: string
+                                            service:
+                                              description: Service is an API call
+                                                to a JSON web service
+                                              properties:
+                                                caBundle:
+                                                  description: CABundle is a PEM encoded
+                                                    CA bundle which will be used to
+                                                    validate the server certificate.
+                                                  type: string
+                                                url:
+                                                  description: URL is the JSON web
+                                                    service URL. A typical form is
+                                                    `https://{service}.{namespace}:{port}/{path}`.
+                                                  type: string
+                                              required:
+                                              - url
+                                              type: object
                                             urlPath:
                                               description: URLPath is the URL path
-                                                to be used in the HTTP GET request
-                                                to the Kubernetes API server (e.g.
-                                                "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                                to be used in the HTTP GET or POST
+                                                request to the Kubernetes API server
+                                                (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                 The format required is the same format
                                                 used by the `kubectl get --raw` command.
+                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                                for details.
                                               type: string
-                                          required:
-                                          - urlPath
                                           type: object
                                         configMap:
                                           description: ConfigMap is the ConfigMap
@@ -20926,6 +23318,15 @@ spec:
                                       that results in one or more elements to which
                                       the validation logic is applied.
                                     type: string
+                                  order:
+                                    description: Order defines the iteration order
+                                      on the list. Can be Ascending to iterate from
+                                      first to last element or Descending to iterate
+                                      in from last to first element.
+                                    enum:
+                                    - Ascending
+                                    - Descending
+                                    type: string
                                   patchStrategicMerge:
                                     description: PatchStrategicMerge is a strategic
                                       merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -20959,6 +23360,10 @@ spec:
                                                 (using JMESPath) for conditional rule
                                                 evaluation.
                                               x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
                                             operator:
                                               description: 'Operator is the conditional
                                                 operation to perform. Valid operators
@@ -21010,6 +23415,10 @@ spec:
                                                 (using JMESPath) for conditional rule
                                                 evaluation.
                                               x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
                                             operator:
                                               description: 'Operator is the conditional
                                                 operation to perform. Valid operators
@@ -21063,10 +23472,155 @@ spec:
                               description: Targets defines the target resources to
                                 be mutated.
                               items:
+                                description: TargetResourceSpec defines targets for
+                                  mutating existing resources.
                                 properties:
                                   apiVersion:
                                     description: APIVersion specifies resource apiVersion.
                                     type: string
+                                  context:
+                                    description: Context defines variables and data
+                                      sources that can be used during rule execution.
+                                    items:
+                                      description: ContextEntry adds variables and
+                                        data sources to a rule Context. Either a ConfigMap
+                                        reference or a APILookup must be provided.
+                                      properties:
+                                        apiCall:
+                                          description: APICall is an HTTP request
+                                            to the Kubernetes API server, or other
+                                            JSON web service. The data returned is
+                                            stored in the context with the name for
+                                            the context entry.
+                                          properties:
+                                            data:
+                                              description: Data specifies the POST
+                                                data sent to the server.
+                                              items:
+                                                description: RequestData contains
+                                                  the HTTP POST data
+                                                properties:
+                                                  key:
+                                                    description: Key is a unique identifier
+                                                      for the data value
+                                                    type: string
+                                                  value:
+                                                    description: Value is the data
+                                                      value
+                                                    x-kubernetes-preserve-unknown-fields: true
+                                                required:
+                                                - key
+                                                - value
+                                                type: object
+                                              type: array
+                                            jmesPath:
+                                              description: JMESPath is an optional
+                                                JSON Match Expression that can be
+                                                used to transform the JSON response
+                                                returned from the server. For example
+                                                a JMESPath of "items | length(@)"
+                                                applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments"
+                                                will return the total count of deployments
+                                                across all namespaces.
+                                              type: string
+                                            method:
+                                              default: GET
+                                              description: Method is the HTTP request
+                                                type (GET or POST).
+                                              enum:
+                                              - GET
+                                              - POST
+                                              type: string
+                                            service:
+                                              description: Service is an API call
+                                                to a JSON web service
+                                              properties:
+                                                caBundle:
+                                                  description: CABundle is a PEM encoded
+                                                    CA bundle which will be used to
+                                                    validate the server certificate.
+                                                  type: string
+                                                url:
+                                                  description: URL is the JSON web
+                                                    service URL. A typical form is
+                                                    `https://{service}.{namespace}:{port}/{path}`.
+                                                  type: string
+                                              required:
+                                              - url
+                                              type: object
+                                            urlPath:
+                                              description: URLPath is the URL path
+                                                to be used in the HTTP GET or POST
+                                                request to the Kubernetes API server
+                                                (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                                The format required is the same format
+                                                used by the `kubectl get --raw` command.
+                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                                for details.
+                                              type: string
+                                          type: object
+                                        configMap:
+                                          description: ConfigMap is the ConfigMap
+                                            reference.
+                                          properties:
+                                            name:
+                                              description: Name is the ConfigMap name.
+                                              type: string
+                                            namespace:
+                                              description: Namespace is the ConfigMap
+                                                namespace.
+                                              type: string
+                                          required:
+                                          - name
+                                          type: object
+                                        imageRegistry:
+                                          description: ImageRegistry defines requests
+                                            to an OCI/Docker V2 registry to fetch
+                                            image details.
+                                          properties:
+                                            jmesPath:
+                                              description: JMESPath is an optional
+                                                JSON Match Expression that can be
+                                                used to transform the ImageData struct
+                                                returned as a result of processing
+                                                the image reference.
+                                              type: string
+                                            reference:
+                                              description: 'Reference is image reference
+                                                to a container image in the registry.
+                                                Example: ghcr.io/kyverno/kyverno:latest'
+                                              type: string
+                                          required:
+                                          - reference
+                                          type: object
+                                        name:
+                                          description: Name is the variable name.
+                                          type: string
+                                        variable:
+                                          description: Variable defines an arbitrary
+                                            JMESPath context variable that can be
+                                            defined inline.
+                                          properties:
+                                            default:
+                                              description: Default is an optional
+                                                arbitrary JSON object that the variable
+                                                may take if the JMESPath expression
+                                                evaluates to nil
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            jmesPath:
+                                              description: JMESPath is an optional
+                                                JMESPath Expression that can be used
+                                                to transform the variable.
+                                              type: string
+                                            value:
+                                              description: Value is any arbitrary
+                                                JSON object representable in YAML
+                                                or JSON form.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                      type: object
+                                    type: array
                                   kind:
                                     description: Kind specifies resource kind.
                                     type: string
@@ -21076,6 +23630,16 @@ spec:
                                   namespace:
                                     description: Namespace specifies resource namespace.
                                     type: string
+                                  preconditions:
+                                    description: 'Preconditions are used to determine
+                                      if a policy rule should be applied by evaluating
+                                      a set of conditions. The declaration can contain
+                                      nested `any` or `all` statements. A direct list
+                                      of conditions (without `any` or `all` statements
+                                      is supported for backwards compatibility but
+                                      will be deprecated in the next major release.
+                                      See: https://kyverno.io/docs/writing-policies/preconditions/'
+                                    x-kubernetes-preserve-unknown-fields: true
                                 type: object
                               type: array
                           type: object
@@ -21119,10 +23683,10 @@ spec:
                                 in the list and looping over it to apply the specified
                                 logic.
                               items:
-                                description: ForEach applies validate rules to a list
-                                  of sub-elements by creating a context for each entry
-                                  in the list and looping over it to apply the specified
-                                  logic.
+                                description: ForEachValidation applies validate rules
+                                  to a list of sub-elements by creating a context
+                                  for each entry in the list and looping over it to
+                                  apply the specified logic.
                                 properties:
                                   anyPattern:
                                     description: AnyPattern specifies list of validation
@@ -21138,31 +23702,78 @@ spec:
                                         reference or a APILookup must be provided.
                                       properties:
                                         apiCall:
-                                          description: APICall defines an HTTP request
-                                            to the Kubernetes API server. The JSON
-                                            data retrieved is stored in the context.
+                                          description: APICall is an HTTP request
+                                            to the Kubernetes API server, or other
+                                            JSON web service. The data returned is
+                                            stored in the context with the name for
+                                            the context entry.
                                           properties:
+                                            data:
+                                              description: Data specifies the POST
+                                                data sent to the server.
+                                              items:
+                                                description: RequestData contains
+                                                  the HTTP POST data
+                                                properties:
+                                                  key:
+                                                    description: Key is a unique identifier
+                                                      for the data value
+                                                    type: string
+                                                  value:
+                                                    description: Value is the data
+                                                      value
+                                                    x-kubernetes-preserve-unknown-fields: true
+                                                required:
+                                                - key
+                                                - value
+                                                type: object
+                                              type: array
                                             jmesPath:
                                               description: JMESPath is an optional
                                                 JSON Match Expression that can be
                                                 used to transform the JSON response
-                                                returned from the API server. For
-                                                example a JMESPath of "items | length(@)"
+                                                returned from the server. For example
+                                                a JMESPath of "items | length(@)"
                                                 applied to the API server response
-                                                to the URLPath "/apis/apps/v1/deployments"
+                                                for the URLPath "/apis/apps/v1/deployments"
                                                 will return the total count of deployments
                                                 across all namespaces.
                                               type: string
+                                            method:
+                                              default: GET
+                                              description: Method is the HTTP request
+                                                type (GET or POST).
+                                              enum:
+                                              - GET
+                                              - POST
+                                              type: string
+                                            service:
+                                              description: Service is an API call
+                                                to a JSON web service
+                                              properties:
+                                                caBundle:
+                                                  description: CABundle is a PEM encoded
+                                                    CA bundle which will be used to
+                                                    validate the server certificate.
+                                                  type: string
+                                                url:
+                                                  description: URL is the JSON web
+                                                    service URL. A typical form is
+                                                    `https://{service}.{namespace}:{port}/{path}`.
+                                                  type: string
+                                              required:
+                                              - url
+                                              type: object
                                             urlPath:
                                               description: URLPath is the URL path
-                                                to be used in the HTTP GET request
-                                                to the Kubernetes API server (e.g.
-                                                "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                                to be used in the HTTP GET or POST
+                                                request to the Kubernetes API server
+                                                (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                 The format required is the same format
                                                 used by the `kubectl get --raw` command.
+                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                                for details.
                                               type: string
-                                          required:
-                                          - urlPath
                                           type: object
                                         configMap:
                                           description: ConfigMap is the ConfigMap
@@ -21281,6 +23892,10 @@ spec:
                                                 (using JMESPath) for conditional rule
                                                 evaluation.
                                               x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
                                             operator:
                                               description: 'Operator is the conditional
                                                 operation to perform. Valid operators
@@ -21332,6 +23947,10 @@ spec:
                                                 (using JMESPath) for conditional rule
                                                 evaluation.
                                               x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
                                             operator:
                                               description: 'Operator is the conditional
                                                 operation to perform. Valid operators
@@ -21691,7 +24310,7 @@ spec:
                                   description: Version defines the Pod Security Standard
                                     versions that Kubernetes supports. Allowed values
                                     are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
-                                    v1.25, latest. Defaults to latest.
+                                    v1.25, v1.26, latest. Defaults to latest.
                                   enum:
                                   - v1.19
                                   - v1.20
@@ -21700,6 +24319,7 @@ spec:
                                   - v1.23
                                   - v1.24
                                   - v1.25
+                                  - v1.26
                                   - latest
                                   type: string
                               type: object
@@ -21989,6 +24609,10 @@ spec:
                                                     entry (using JMESPath) for conditional
                                                     rule evaluation.
                                                   x-kubernetes-preserve-unknown-fields: true
+                                                message:
+                                                  description: Message is an optional
+                                                    display message
+                                                  type: string
                                                 operator:
                                                   description: 'Operator is the conditional
                                                     operation to perform. Valid operators
@@ -22041,6 +24665,10 @@ spec:
                                                     entry (using JMESPath) for conditional
                                                     rule evaluation.
                                                   x-kubernetes-preserve-unknown-fields: true
+                                                message:
+                                                  description: Message is an optional
+                                                    display message
+                                                  type: string
                                                 operator:
                                                   description: 'Operator is the conditional
                                                     operation to perform. Valid operators
@@ -22338,6 +24966,14 @@ spec:
                                   signing, for example an email address Deprecated.
                                   Use KeylessAttestor instead.
                                 type: string
+                              type:
+                                description: Type specifies the method of signature
+                                  validation. The allowed options are Cosign and Notary.
+                                  By default Cosign is used if a type is not specified.
+                                enum:
+                                - Cosign
+                                - Notary
+                                type: string
                               verifyDigest:
                                 default: true
                                 description: VerifyDigest validates that images have
@@ -22464,9 +25100,9 @@ spec:
       name: Failure Policy
       priority: 1
       type: string
-    - jsonPath: .status.ready
+    - jsonPath: .status.conditions[?(@.type == "Ready")].status
       name: Ready
-      type: boolean
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -22486,6 +25122,9 @@ spec:
       name: Verifyimages
       priority: 1
       type: integer
+    - jsonPath: .status.conditions[?(@.type == "Ready")].message
+      name: MESSAGE
+      type: string
     name: v2beta1
     schema:
       openAPIV3Schema:
@@ -22535,11 +25174,14 @@ spec:
                 - Ignore
                 - Fail
                 type: string
+              generateExisting:
+                description: GenerateExisting controls whether to trigger generate
+                  rule in existing resources If is set to "true" generate rule will
+                  be triggered and applied to existing matched resources. Defaults
+                  to "false" if not specified.
+                type: boolean
               generateExistingOnPolicyUpdate:
-                description: GenerateExistingOnPolicyUpdate controls whether to trigger
-                  generate rule in existing resources If is set to "true" generate
-                  rule will be triggered and applied to existing matched resources.
-                  Defaults to "false" if not specified.
+                description: Deprecated, use generateExisting instead
                 type: boolean
               mutateExistingOnPolicyUpdate:
                 description: MutateExistingOnPolicyUpdate controls if a mutateExisting
@@ -22563,28 +25205,70 @@ spec:
                           must be provided.
                         properties:
                           apiCall:
-                            description: APICall defines an HTTP request to the Kubernetes
-                              API server. The JSON data retrieved is stored in the
-                              context.
+                            description: APICall is an HTTP request to the Kubernetes
+                              API server, or other JSON web service. The data returned
+                              is stored in the context with the name for the context
+                              entry.
                             properties:
+                              data:
+                                description: Data specifies the POST data sent to
+                                  the server.
+                                items:
+                                  description: RequestData contains the HTTP POST
+                                    data
+                                  properties:
+                                    key:
+                                      description: Key is a unique identifier for
+                                        the data value
+                                      type: string
+                                    value:
+                                      description: Value is the data value
+                                      x-kubernetes-preserve-unknown-fields: true
+                                  required:
+                                  - key
+                                  - value
+                                  type: object
+                                type: array
                               jmesPath:
                                 description: JMESPath is an optional JSON Match Expression
                                   that can be used to transform the JSON response
-                                  returned from the API server. For example a JMESPath
+                                  returned from the server. For example a JMESPath
                                   of "items | length(@)" applied to the API server
-                                  response to the URLPath "/apis/apps/v1/deployments"
+                                  response for the URLPath "/apis/apps/v1/deployments"
                                   will return the total count of deployments across
                                   all namespaces.
                                 type: string
+                              method:
+                                default: GET
+                                description: Method is the HTTP request type (GET
+                                  or POST).
+                                enum:
+                                - GET
+                                - POST
+                                type: string
+                              service:
+                                description: Service is an API call to a JSON web
+                                  service
+                                properties:
+                                  caBundle:
+                                    description: CABundle is a PEM encoded CA bundle
+                                      which will be used to validate the server certificate.
+                                    type: string
+                                  url:
+                                    description: URL is the JSON web service URL.
+                                      A typical form is `https://{service}.{namespace}:{port}/{path}`.
+                                    type: string
+                                required:
+                                - url
+                                type: object
                               urlPath:
                                 description: URLPath is the URL path to be used in
-                                  the HTTP GET request to the Kubernetes API server
-                                  (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                  the HTTP GET or POST request to the Kubernetes API
+                                  server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                   The format required is the same format used by the
-                                  `kubectl get --raw` command.
+                                  `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                  for details.
                                 type: string
-                            required:
-                            - urlPath
                             type: object
                           configMap:
                             description: ConfigMap is the ConfigMap reference.
@@ -22756,6 +25440,21 @@ spec:
                                     items:
                                       type: string
                                     type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
                                   selector:
                                     description: 'Selector is a label selector. Label
                                       keys and values in `matchLabels` support the
@@ -22974,6 +25673,21 @@ spec:
                                     items:
                                       type: string
                                     type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
                                   selector:
                                     description: 'Selector is a label selector. Label
                                       keys and values in `matchLabels` support the
@@ -23189,6 +25903,15 @@ spec:
                       additionalProperties:
                         items:
                           properties:
+                            jmesPath:
+                              description: 'JMESPath is an optional JMESPath expression
+                                to apply to the image value. This is useful when the
+                                extracted image begins with a prefix like ''docker://''.
+                                The ''trim_prefix'' function may be used to trim the
+                                prefix: trim_prefix(@, ''docker://''). Note - Image
+                                digest mutation may not be used when applying a JMESPAth
+                                to an image.'
+                              type: string
                             key:
                               description: Key is an optional name of the field within
                                 'path' that will be used to uniquely identify an image.
@@ -23339,6 +26062,21 @@ spec:
                                     items:
                                       type: string
                                     type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
                                   selector:
                                     description: 'Selector is a label selector. Label
                                       keys and values in `matchLabels` support the
@@ -23557,6 +26295,21 @@ spec:
                                     items:
                                       type: string
                                     type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
                                   selector:
                                     description: 'Selector is a label selector. Label
                                       keys and values in `matchLabels` support the
@@ -23671,9 +26424,9 @@ spec:
                             sub-elements by creating a context for each entry in the
                             list and looping over it to apply the specified logic.
                           items:
-                            description: ForEach applies mutation rules to a list
-                              of sub-elements by creating a context for each entry
-                              in the list and looping over it to apply the specified
+                            description: ForEachMutation applies mutation rules to
+                              a list of sub-elements by creating a context for each
+                              entry in the list and looping over it to apply the specified
                               logic.
                             properties:
                               context:
@@ -23685,30 +26438,74 @@ spec:
                                     reference or a APILookup must be provided.
                                   properties:
                                     apiCall:
-                                      description: APICall defines an HTTP request
-                                        to the Kubernetes API server. The JSON data
-                                        retrieved is stored in the context.
+                                      description: APICall is an HTTP request to the
+                                        Kubernetes API server, or other JSON web service.
+                                        The data returned is stored in the context
+                                        with the name for the context entry.
                                       properties:
+                                        data:
+                                          description: Data specifies the POST data
+                                            sent to the server.
+                                          items:
+                                            description: RequestData contains the
+                                              HTTP POST data
+                                            properties:
+                                              key:
+                                                description: Key is a unique identifier
+                                                  for the data value
+                                                type: string
+                                              value:
+                                                description: Value is the data value
+                                                x-kubernetes-preserve-unknown-fields: true
+                                            required:
+                                            - key
+                                            - value
+                                            type: object
+                                          type: array
                                         jmesPath:
                                           description: JMESPath is an optional JSON
                                             Match Expression that can be used to transform
-                                            the JSON response returned from the API
-                                            server. For example a JMESPath of "items
-                                            | length(@)" applied to the API server
-                                            response to the URLPath "/apis/apps/v1/deployments"
+                                            the JSON response returned from the server.
+                                            For example a JMESPath of "items | length(@)"
+                                            applied to the API server response for
+                                            the URLPath "/apis/apps/v1/deployments"
                                             will return the total count of deployments
                                             across all namespaces.
                                           type: string
+                                        method:
+                                          default: GET
+                                          description: Method is the HTTP request
+                                            type (GET or POST).
+                                          enum:
+                                          - GET
+                                          - POST
+                                          type: string
+                                        service:
+                                          description: Service is an API call to a
+                                            JSON web service
+                                          properties:
+                                            caBundle:
+                                              description: CABundle is a PEM encoded
+                                                CA bundle which will be used to validate
+                                                the server certificate.
+                                              type: string
+                                            url:
+                                              description: URL is the JSON web service
+                                                URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+                                              type: string
+                                          required:
+                                          - url
+                                          type: object
                                         urlPath:
                                           description: URLPath is the URL path to
-                                            be used in the HTTP GET request to the
-                                            Kubernetes API server (e.g. "/api/v1/namespaces"
+                                            be used in the HTTP GET or POST request
+                                            to the Kubernetes API server (e.g. "/api/v1/namespaces"
                                             or  "/apis/apps/v1/deployments"). The
                                             format required is the same format used
-                                            by the `kubectl get --raw` command.
+                                            by the `kubectl get --raw` command. See
+                                            https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                            for details.
                                           type: string
-                                      required:
-                                      - urlPath
                                       type: object
                                     configMap:
                                       description: ConfigMap is the ConfigMap reference.
@@ -23775,6 +26572,15 @@ spec:
                                   that results in one or more elements to which the
                                   validation logic is applied.
                                 type: string
+                              order:
+                                description: Order defines the iteration order on
+                                  the list. Can be Ascending to iterate from first
+                                  to last element or Descending to iterate in from
+                                  last to first element.
+                                enum:
+                                - Ascending
+                                - Descending
+                                type: string
                               patchStrategicMerge:
                                 description: PatchStrategicMerge is a strategic merge
                                   patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -23806,6 +26612,10 @@ spec:
                                           description: Key is the context entry (using
                                             JMESPath) for conditional rule evaluation.
                                           x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
                                         operator:
                                           description: 'Operator is the conditional
                                             operation to perform. Valid operators
@@ -23855,6 +26665,10 @@ spec:
                                           description: Key is the context entry (using
                                             JMESPath) for conditional rule evaluation.
                                           x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
                                         operator:
                                           description: 'Operator is the conditional
                                             operation to perform. Valid operators
@@ -23907,10 +26721,147 @@ spec:
                           description: Targets defines the target resources to be
                             mutated.
                           items:
+                            description: TargetResourceSpec defines targets for mutating
+                              existing resources.
                             properties:
                               apiVersion:
                                 description: APIVersion specifies resource apiVersion.
                                 type: string
+                              context:
+                                description: Context defines variables and data sources
+                                  that can be used during rule execution.
+                                items:
+                                  description: ContextEntry adds variables and data
+                                    sources to a rule Context. Either a ConfigMap
+                                    reference or a APILookup must be provided.
+                                  properties:
+                                    apiCall:
+                                      description: APICall is an HTTP request to the
+                                        Kubernetes API server, or other JSON web service.
+                                        The data returned is stored in the context
+                                        with the name for the context entry.
+                                      properties:
+                                        data:
+                                          description: Data specifies the POST data
+                                            sent to the server.
+                                          items:
+                                            description: RequestData contains the
+                                              HTTP POST data
+                                            properties:
+                                              key:
+                                                description: Key is a unique identifier
+                                                  for the data value
+                                                type: string
+                                              value:
+                                                description: Value is the data value
+                                                x-kubernetes-preserve-unknown-fields: true
+                                            required:
+                                            - key
+                                            - value
+                                            type: object
+                                          type: array
+                                        jmesPath:
+                                          description: JMESPath is an optional JSON
+                                            Match Expression that can be used to transform
+                                            the JSON response returned from the server.
+                                            For example a JMESPath of "items | length(@)"
+                                            applied to the API server response for
+                                            the URLPath "/apis/apps/v1/deployments"
+                                            will return the total count of deployments
+                                            across all namespaces.
+                                          type: string
+                                        method:
+                                          default: GET
+                                          description: Method is the HTTP request
+                                            type (GET or POST).
+                                          enum:
+                                          - GET
+                                          - POST
+                                          type: string
+                                        service:
+                                          description: Service is an API call to a
+                                            JSON web service
+                                          properties:
+                                            caBundle:
+                                              description: CABundle is a PEM encoded
+                                                CA bundle which will be used to validate
+                                                the server certificate.
+                                              type: string
+                                            url:
+                                              description: URL is the JSON web service
+                                                URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+                                              type: string
+                                          required:
+                                          - url
+                                          type: object
+                                        urlPath:
+                                          description: URLPath is the URL path to
+                                            be used in the HTTP GET or POST request
+                                            to the Kubernetes API server (e.g. "/api/v1/namespaces"
+                                            or  "/apis/apps/v1/deployments"). The
+                                            format required is the same format used
+                                            by the `kubectl get --raw` command. See
+                                            https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                            for details.
+                                          type: string
+                                      type: object
+                                    configMap:
+                                      description: ConfigMap is the ConfigMap reference.
+                                      properties:
+                                        name:
+                                          description: Name is the ConfigMap name.
+                                          type: string
+                                        namespace:
+                                          description: Namespace is the ConfigMap
+                                            namespace.
+                                          type: string
+                                      required:
+                                      - name
+                                      type: object
+                                    imageRegistry:
+                                      description: ImageRegistry defines requests
+                                        to an OCI/Docker V2 registry to fetch image
+                                        details.
+                                      properties:
+                                        jmesPath:
+                                          description: JMESPath is an optional JSON
+                                            Match Expression that can be used to transform
+                                            the ImageData struct returned as a result
+                                            of processing the image reference.
+                                          type: string
+                                        reference:
+                                          description: 'Reference is image reference
+                                            to a container image in the registry.
+                                            Example: ghcr.io/kyverno/kyverno:latest'
+                                          type: string
+                                      required:
+                                      - reference
+                                      type: object
+                                    name:
+                                      description: Name is the variable name.
+                                      type: string
+                                    variable:
+                                      description: Variable defines an arbitrary JMESPath
+                                        context variable that can be defined inline.
+                                      properties:
+                                        default:
+                                          description: Default is an optional arbitrary
+                                            JSON object that the variable may take
+                                            if the JMESPath expression evaluates to
+                                            nil
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        jmesPath:
+                                          description: JMESPath is an optional JMESPath
+                                            Expression that can be used to transform
+                                            the variable.
+                                          type: string
+                                        value:
+                                          description: Value is any arbitrary JSON
+                                            object representable in YAML or JSON form.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                  type: object
+                                type: array
                               kind:
                                 description: Kind specifies resource kind.
                                 type: string
@@ -23920,6 +26871,15 @@ spec:
                               namespace:
                                 description: Namespace specifies resource namespace.
                                 type: string
+                              preconditions:
+                                description: 'Preconditions are used to determine
+                                  if a policy rule should be applied by evaluating
+                                  a set of conditions. The declaration can contain
+                                  nested `any` or `all` statements. A direct list
+                                  of conditions (without `any` or `all` statements
+                                  is supported for backwards compatibility but will
+                                  be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
+                                x-kubernetes-preserve-unknown-fields: true
                             type: object
                           type: array
                       type: object
@@ -23947,6 +26907,9 @@ spec:
                                 description: Key is the context entry (using JMESPath)
                                   for conditional rule evaluation.
                                 x-kubernetes-preserve-unknown-fields: true
+                              message:
+                                description: Message is an optional display message
+                                type: string
                               operator:
                                 description: 'Operator is the conditional operation
                                   to perform. Valid operators are: Equals, NotEquals,
@@ -23988,6 +26951,9 @@ spec:
                                 description: Key is the context entry (using JMESPath)
                                   for conditional rule evaluation.
                                 x-kubernetes-preserve-unknown-fields: true
+                              message:
+                                description: Message is an optional display message
+                                type: string
                               operator:
                                 description: 'Operator is the conditional operation
                                   to perform. Valid operators are: Equals, NotEquals,
@@ -24048,6 +27014,10 @@ spec:
                                         description: Key is the context entry (using
                                           JMESPath) for conditional rule evaluation.
                                         x-kubernetes-preserve-unknown-fields: true
+                                      message:
+                                        description: Message is an optional display
+                                          message
+                                        type: string
                                       operator:
                                         description: 'Operator is the conditional
                                           operation to perform. Valid operators are:
@@ -24091,6 +27061,10 @@ spec:
                                         description: Key is the context entry (using
                                           JMESPath) for conditional rule evaluation.
                                         x-kubernetes-preserve-unknown-fields: true
+                                      message:
+                                        description: Message is an optional display
+                                          message
+                                        type: string
                                       operator:
                                         description: 'Operator is the conditional
                                           operation to perform. Valid operators are:
@@ -24129,10 +27103,10 @@ spec:
                             sub-elements by creating a context for each entry in the
                             list and looping over it to apply the specified logic.
                           items:
-                            description: ForEach applies validate rules to a list
-                              of sub-elements by creating a context for each entry
-                              in the list and looping over it to apply the specified
-                              logic.
+                            description: ForEachValidation applies validate rules
+                              to a list of sub-elements by creating a context for
+                              each entry in the list and looping over it to apply
+                              the specified logic.
                             properties:
                               anyPattern:
                                 description: AnyPattern specifies list of validation
@@ -24148,30 +27122,74 @@ spec:
                                     reference or a APILookup must be provided.
                                   properties:
                                     apiCall:
-                                      description: APICall defines an HTTP request
-                                        to the Kubernetes API server. The JSON data
-                                        retrieved is stored in the context.
+                                      description: APICall is an HTTP request to the
+                                        Kubernetes API server, or other JSON web service.
+                                        The data returned is stored in the context
+                                        with the name for the context entry.
                                       properties:
+                                        data:
+                                          description: Data specifies the POST data
+                                            sent to the server.
+                                          items:
+                                            description: RequestData contains the
+                                              HTTP POST data
+                                            properties:
+                                              key:
+                                                description: Key is a unique identifier
+                                                  for the data value
+                                                type: string
+                                              value:
+                                                description: Value is the data value
+                                                x-kubernetes-preserve-unknown-fields: true
+                                            required:
+                                            - key
+                                            - value
+                                            type: object
+                                          type: array
                                         jmesPath:
                                           description: JMESPath is an optional JSON
                                             Match Expression that can be used to transform
-                                            the JSON response returned from the API
-                                            server. For example a JMESPath of "items
-                                            | length(@)" applied to the API server
-                                            response to the URLPath "/apis/apps/v1/deployments"
+                                            the JSON response returned from the server.
+                                            For example a JMESPath of "items | length(@)"
+                                            applied to the API server response for
+                                            the URLPath "/apis/apps/v1/deployments"
                                             will return the total count of deployments
                                             across all namespaces.
                                           type: string
+                                        method:
+                                          default: GET
+                                          description: Method is the HTTP request
+                                            type (GET or POST).
+                                          enum:
+                                          - GET
+                                          - POST
+                                          type: string
+                                        service:
+                                          description: Service is an API call to a
+                                            JSON web service
+                                          properties:
+                                            caBundle:
+                                              description: CABundle is a PEM encoded
+                                                CA bundle which will be used to validate
+                                                the server certificate.
+                                              type: string
+                                            url:
+                                              description: URL is the JSON web service
+                                                URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
+                                              type: string
+                                          required:
+                                          - url
+                                          type: object
                                         urlPath:
                                           description: URLPath is the URL path to
-                                            be used in the HTTP GET request to the
-                                            Kubernetes API server (e.g. "/api/v1/namespaces"
+                                            be used in the HTTP GET or POST request
+                                            to the Kubernetes API server (e.g. "/api/v1/namespaces"
                                             or  "/apis/apps/v1/deployments"). The
                                             format required is the same format used
-                                            by the `kubectl get --raw` command.
+                                            by the `kubectl get --raw` command. See
+                                            https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                            for details.
                                           type: string
-                                      required:
-                                      - urlPath
                                       type: object
                                     configMap:
                                       description: ConfigMap is the ConfigMap reference.
@@ -24284,6 +27302,10 @@ spec:
                                           description: Key is the context entry (using
                                             JMESPath) for conditional rule evaluation.
                                           x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
                                         operator:
                                           description: 'Operator is the conditional
                                             operation to perform. Valid operators
@@ -24333,6 +27355,10 @@ spec:
                                           description: Key is the context entry (using
                                             JMESPath) for conditional rule evaluation.
                                           x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
                                         operator:
                                           description: 'Operator is the conditional
                                             operation to perform. Valid operators
@@ -24680,7 +27706,7 @@ spec:
                               description: Version defines the Pod Security Standard
                                 versions that Kubernetes supports. Allowed values
                                 are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25,
-                                latest. Defaults to latest.
+                                v1.26, latest. Defaults to latest.
                               enum:
                               - v1.19
                               - v1.20
@@ -24689,6 +27715,7 @@ spec:
                               - v1.23
                               - v1.24
                               - v1.25
+                              - v1.26
                               - latest
                               type: string
                           type: object
@@ -24943,6 +27970,10 @@ spec:
                                                 (using JMESPath) for conditional rule
                                                 evaluation.
                                               x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
                                             operator:
                                               description: 'Operator is the conditional
                                                 operation to perform. Valid operators
@@ -24994,6 +28025,10 @@ spec:
                                                 (using JMESPath) for conditional rule
                                                 evaluation.
                                               x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
                                             operator:
                                               description: 'Operator is the conditional
                                                 operation to perform. Valid operators
@@ -25257,6 +28292,14 @@ spec:
                               i.e. have matched passed a signature or attestation
                               check.
                             type: boolean
+                          type:
+                            description: Type specifies the method of signature validation.
+                              The allowed options are Cosign and Notary. By default
+                              Cosign is used if a type is not specified.
+                            enum:
+                            - Cosign
+                            - Notary
+                            type: string
                           verifyDigest:
                             default: true
                             description: VerifyDigest validates that images have a
@@ -25299,6 +28342,54 @@ spec:
                       - Audit
                       - Enforce
                       type: string
+                    namespaceSelector:
+                      description: A label selector is a label query over a set of
+                        resources. The result of matchLabels and matchExpressions
+                        are ANDed. An empty label selector matches all objects. A
+                        null label selector matches no objects.
+                      properties:
+                        matchExpressions:
+                          description: matchExpressions is a list of label selector
+                            requirements. The requirements are ANDed.
+                          items:
+                            description: A label selector requirement is a selector
+                              that contains values, a key, and an operator that relates
+                              the key and values.
+                            properties:
+                              key:
+                                description: key is the label key that the selector
+                                  applies to.
+                                type: string
+                              operator:
+                                description: operator represents a key's relationship
+                                  to a set of values. Valid operators are In, NotIn,
+                                  Exists and DoesNotExist.
+                                type: string
+                              values:
+                                description: values is an array of string values.
+                                  If the operator is In or NotIn, the values array
+                                  must be non-empty. If the operator is Exists or
+                                  DoesNotExist, the values array must be empty. This
+                                  array is replaced during a strategic merge patch.
+                                items:
+                                  type: string
+                                type: array
+                            required:
+                            - key
+                            - operator
+                            type: object
+                          type: array
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          description: matchLabels is a map of {key,value} pairs.
+                            A single {key,value} in the matchLabels map is equivalent
+                            to an element of matchExpressions, whose key field is
+                            "key", the operator is "In", and the values array contains
+                            only "value". The requirements are ANDed.
+                          type: object
+                      type: object
+                      x-kubernetes-map-type: atomic
                     namespaces:
                       items:
                         type: string
@@ -25338,28 +28429,71 @@ spec:
                               APILookup must be provided.
                             properties:
                               apiCall:
-                                description: APICall defines an HTTP request to the
-                                  Kubernetes API server. The JSON data retrieved is
-                                  stored in the context.
+                                description: APICall is an HTTP request to the Kubernetes
+                                  API server, or other JSON web service. The data
+                                  returned is stored in the context with the name
+                                  for the context entry.
                                 properties:
+                                  data:
+                                    description: Data specifies the POST data sent
+                                      to the server.
+                                    items:
+                                      description: RequestData contains the HTTP POST
+                                        data
+                                      properties:
+                                        key:
+                                          description: Key is a unique identifier
+                                            for the data value
+                                          type: string
+                                        value:
+                                          description: Value is the data value
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      required:
+                                      - key
+                                      - value
+                                      type: object
+                                    type: array
                                   jmesPath:
                                     description: JMESPath is an optional JSON Match
                                       Expression that can be used to transform the
-                                      JSON response returned from the API server.
-                                      For example a JMESPath of "items | length(@)"
-                                      applied to the API server response to the URLPath
-                                      "/apis/apps/v1/deployments" will return the
-                                      total count of deployments across all namespaces.
+                                      JSON response returned from the server. For
+                                      example a JMESPath of "items | length(@)" applied
+                                      to the API server response for the URLPath "/apis/apps/v1/deployments"
+                                      will return the total count of deployments across
+                                      all namespaces.
                                     type: string
+                                  method:
+                                    default: GET
+                                    description: Method is the HTTP request type (GET
+                                      or POST).
+                                    enum:
+                                    - GET
+                                    - POST
+                                    type: string
+                                  service:
+                                    description: Service is an API call to a JSON
+                                      web service
+                                    properties:
+                                      caBundle:
+                                        description: CABundle is a PEM encoded CA
+                                          bundle which will be used to validate the
+                                          server certificate.
+                                        type: string
+                                      url:
+                                        description: URL is the JSON web service URL.
+                                          A typical form is `https://{service}.{namespace}:{port}/{path}`.
+                                        type: string
+                                    required:
+                                    - url
+                                    type: object
                                   urlPath:
                                     description: URLPath is the URL path to be used
-                                      in the HTTP GET request to the Kubernetes API
-                                      server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                      in the HTTP GET or POST request to the Kubernetes
+                                      API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                       The format required is the same format used
-                                      by the `kubectl get --raw` command.
+                                      by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                      for details.
                                     type: string
-                                required:
-                                - urlPath
                                 type: object
                               configMap:
                                 description: ConfigMap is the ConfigMap reference.
@@ -25537,6 +28671,22 @@ spec:
                                         items:
                                           type: string
                                         type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
                                       selector:
                                         description: 'Selector is a label selector.
                                           Label keys and values in `matchLabels` support
@@ -25762,6 +28912,22 @@ spec:
                                         items:
                                           type: string
                                         type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
                                       selector:
                                         description: 'Selector is a label selector.
                                           Label keys and values in `matchLabels` support
@@ -25981,6 +29147,21 @@ spec:
                                   items:
                                     type: string
                                   type: array
+                                operations:
+                                  description: Operations can contain values ["CREATE,
+                                    "UPDATE", "CONNECT", "DELETE"], which are used
+                                    to match a specific action.
+                                  items:
+                                    description: AdmissionOperation can have one of
+                                      the values CREATE, UPDATE, CONNECT, DELETE,
+                                      which are used to match a specific action.
+                                    enum:
+                                    - CREATE
+                                    - CONNECT
+                                    - UPDATE
+                                    - DELETE
+                                    type: string
+                                  type: array
                                 selector:
                                   description: 'Selector is a label selector. Label
                                     keys and values in `matchLabels` support the wildcard
@@ -26201,6 +29382,15 @@ spec:
                           additionalProperties:
                             items:
                               properties:
+                                jmesPath:
+                                  description: 'JMESPath is an optional JMESPath expression
+                                    to apply to the image value. This is useful when
+                                    the extracted image begins with a prefix like
+                                    ''docker://''. The ''trim_prefix'' function may
+                                    be used to trim the prefix: trim_prefix(@, ''docker://'').
+                                    Note - Image digest mutation may not be used when
+                                    applying a JMESPAth to an image.'
+                                  type: string
                                 key:
                                   description: Key is an optional name of the field
                                     within 'path' that will be used to uniquely identify
@@ -26354,6 +29544,22 @@ spec:
                                         items:
                                           type: string
                                         type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
                                       selector:
                                         description: 'Selector is a label selector.
                                           Label keys and values in `matchLabels` support
@@ -26579,6 +29785,22 @@ spec:
                                         items:
                                           type: string
                                         type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
                                       selector:
                                         description: 'Selector is a label selector.
                                           Label keys and values in `matchLabels` support
@@ -26798,6 +30020,21 @@ spec:
                                   items:
                                     type: string
                                   type: array
+                                operations:
+                                  description: Operations can contain values ["CREATE,
+                                    "UPDATE", "CONNECT", "DELETE"], which are used
+                                    to match a specific action.
+                                  items:
+                                    description: AdmissionOperation can have one of
+                                      the values CREATE, UPDATE, CONNECT, DELETE,
+                                      which are used to match a specific action.
+                                    enum:
+                                    - CREATE
+                                    - CONNECT
+                                    - UPDATE
+                                    - DELETE
+                                    type: string
+                                  type: array
                                 selector:
                                   description: 'Selector is a label selector. Label
                                     keys and values in `matchLabels` support the wildcard
@@ -26910,10 +30147,10 @@ spec:
                                 in the list and looping over it to apply the specified
                                 logic.
                               items:
-                                description: ForEach applies mutation rules to a list
-                                  of sub-elements by creating a context for each entry
-                                  in the list and looping over it to apply the specified
-                                  logic.
+                                description: ForEachMutation applies mutation rules
+                                  to a list of sub-elements by creating a context
+                                  for each entry in the list and looping over it to
+                                  apply the specified logic.
                                 properties:
                                   context:
                                     description: Context defines variables and data
@@ -26924,31 +30161,78 @@ spec:
                                         reference or a APILookup must be provided.
                                       properties:
                                         apiCall:
-                                          description: APICall defines an HTTP request
-                                            to the Kubernetes API server. The JSON
-                                            data retrieved is stored in the context.
+                                          description: APICall is an HTTP request
+                                            to the Kubernetes API server, or other
+                                            JSON web service. The data returned is
+                                            stored in the context with the name for
+                                            the context entry.
                                           properties:
+                                            data:
+                                              description: Data specifies the POST
+                                                data sent to the server.
+                                              items:
+                                                description: RequestData contains
+                                                  the HTTP POST data
+                                                properties:
+                                                  key:
+                                                    description: Key is a unique identifier
+                                                      for the data value
+                                                    type: string
+                                                  value:
+                                                    description: Value is the data
+                                                      value
+                                                    x-kubernetes-preserve-unknown-fields: true
+                                                required:
+                                                - key
+                                                - value
+                                                type: object
+                                              type: array
                                             jmesPath:
                                               description: JMESPath is an optional
                                                 JSON Match Expression that can be
                                                 used to transform the JSON response
-                                                returned from the API server. For
-                                                example a JMESPath of "items | length(@)"
+                                                returned from the server. For example
+                                                a JMESPath of "items | length(@)"
                                                 applied to the API server response
-                                                to the URLPath "/apis/apps/v1/deployments"
+                                                for the URLPath "/apis/apps/v1/deployments"
                                                 will return the total count of deployments
                                                 across all namespaces.
                                               type: string
+                                            method:
+                                              default: GET
+                                              description: Method is the HTTP request
+                                                type (GET or POST).
+                                              enum:
+                                              - GET
+                                              - POST
+                                              type: string
+                                            service:
+                                              description: Service is an API call
+                                                to a JSON web service
+                                              properties:
+                                                caBundle:
+                                                  description: CABundle is a PEM encoded
+                                                    CA bundle which will be used to
+                                                    validate the server certificate.
+                                                  type: string
+                                                url:
+                                                  description: URL is the JSON web
+                                                    service URL. A typical form is
+                                                    `https://{service}.{namespace}:{port}/{path}`.
+                                                  type: string
+                                              required:
+                                              - url
+                                              type: object
                                             urlPath:
                                               description: URLPath is the URL path
-                                                to be used in the HTTP GET request
-                                                to the Kubernetes API server (e.g.
-                                                "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                                to be used in the HTTP GET or POST
+                                                request to the Kubernetes API server
+                                                (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                 The format required is the same format
                                                 used by the `kubectl get --raw` command.
+                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                                for details.
                                               type: string
-                                          required:
-                                          - urlPath
                                           type: object
                                         configMap:
                                           description: ConfigMap is the ConfigMap
@@ -27020,6 +30304,15 @@ spec:
                                       that results in one or more elements to which
                                       the validation logic is applied.
                                     type: string
+                                  order:
+                                    description: Order defines the iteration order
+                                      on the list. Can be Ascending to iterate from
+                                      first to last element or Descending to iterate
+                                      in from last to first element.
+                                    enum:
+                                    - Ascending
+                                    - Descending
+                                    type: string
                                   patchStrategicMerge:
                                     description: PatchStrategicMerge is a strategic
                                       merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -27053,6 +30346,10 @@ spec:
                                                 (using JMESPath) for conditional rule
                                                 evaluation.
                                               x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
                                             operator:
                                               description: 'Operator is the conditional
                                                 operation to perform. Valid operators
@@ -27104,6 +30401,10 @@ spec:
                                                 (using JMESPath) for conditional rule
                                                 evaluation.
                                               x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
                                             operator:
                                               description: 'Operator is the conditional
                                                 operation to perform. Valid operators
@@ -27157,10 +30458,155 @@ spec:
                               description: Targets defines the target resources to
                                 be mutated.
                               items:
+                                description: TargetResourceSpec defines targets for
+                                  mutating existing resources.
                                 properties:
                                   apiVersion:
                                     description: APIVersion specifies resource apiVersion.
                                     type: string
+                                  context:
+                                    description: Context defines variables and data
+                                      sources that can be used during rule execution.
+                                    items:
+                                      description: ContextEntry adds variables and
+                                        data sources to a rule Context. Either a ConfigMap
+                                        reference or a APILookup must be provided.
+                                      properties:
+                                        apiCall:
+                                          description: APICall is an HTTP request
+                                            to the Kubernetes API server, or other
+                                            JSON web service. The data returned is
+                                            stored in the context with the name for
+                                            the context entry.
+                                          properties:
+                                            data:
+                                              description: Data specifies the POST
+                                                data sent to the server.
+                                              items:
+                                                description: RequestData contains
+                                                  the HTTP POST data
+                                                properties:
+                                                  key:
+                                                    description: Key is a unique identifier
+                                                      for the data value
+                                                    type: string
+                                                  value:
+                                                    description: Value is the data
+                                                      value
+                                                    x-kubernetes-preserve-unknown-fields: true
+                                                required:
+                                                - key
+                                                - value
+                                                type: object
+                                              type: array
+                                            jmesPath:
+                                              description: JMESPath is an optional
+                                                JSON Match Expression that can be
+                                                used to transform the JSON response
+                                                returned from the server. For example
+                                                a JMESPath of "items | length(@)"
+                                                applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments"
+                                                will return the total count of deployments
+                                                across all namespaces.
+                                              type: string
+                                            method:
+                                              default: GET
+                                              description: Method is the HTTP request
+                                                type (GET or POST).
+                                              enum:
+                                              - GET
+                                              - POST
+                                              type: string
+                                            service:
+                                              description: Service is an API call
+                                                to a JSON web service
+                                              properties:
+                                                caBundle:
+                                                  description: CABundle is a PEM encoded
+                                                    CA bundle which will be used to
+                                                    validate the server certificate.
+                                                  type: string
+                                                url:
+                                                  description: URL is the JSON web
+                                                    service URL. A typical form is
+                                                    `https://{service}.{namespace}:{port}/{path}`.
+                                                  type: string
+                                              required:
+                                              - url
+                                              type: object
+                                            urlPath:
+                                              description: URLPath is the URL path
+                                                to be used in the HTTP GET or POST
+                                                request to the Kubernetes API server
+                                                (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                                The format required is the same format
+                                                used by the `kubectl get --raw` command.
+                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                                for details.
+                                              type: string
+                                          type: object
+                                        configMap:
+                                          description: ConfigMap is the ConfigMap
+                                            reference.
+                                          properties:
+                                            name:
+                                              description: Name is the ConfigMap name.
+                                              type: string
+                                            namespace:
+                                              description: Namespace is the ConfigMap
+                                                namespace.
+                                              type: string
+                                          required:
+                                          - name
+                                          type: object
+                                        imageRegistry:
+                                          description: ImageRegistry defines requests
+                                            to an OCI/Docker V2 registry to fetch
+                                            image details.
+                                          properties:
+                                            jmesPath:
+                                              description: JMESPath is an optional
+                                                JSON Match Expression that can be
+                                                used to transform the ImageData struct
+                                                returned as a result of processing
+                                                the image reference.
+                                              type: string
+                                            reference:
+                                              description: 'Reference is image reference
+                                                to a container image in the registry.
+                                                Example: ghcr.io/kyverno/kyverno:latest'
+                                              type: string
+                                          required:
+                                          - reference
+                                          type: object
+                                        name:
+                                          description: Name is the variable name.
+                                          type: string
+                                        variable:
+                                          description: Variable defines an arbitrary
+                                            JMESPath context variable that can be
+                                            defined inline.
+                                          properties:
+                                            default:
+                                              description: Default is an optional
+                                                arbitrary JSON object that the variable
+                                                may take if the JMESPath expression
+                                                evaluates to nil
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            jmesPath:
+                                              description: JMESPath is an optional
+                                                JMESPath Expression that can be used
+                                                to transform the variable.
+                                              type: string
+                                            value:
+                                              description: Value is any arbitrary
+                                                JSON object representable in YAML
+                                                or JSON form.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                      type: object
+                                    type: array
                                   kind:
                                     description: Kind specifies resource kind.
                                     type: string
@@ -27170,6 +30616,16 @@ spec:
                                   namespace:
                                     description: Namespace specifies resource namespace.
                                     type: string
+                                  preconditions:
+                                    description: 'Preconditions are used to determine
+                                      if a policy rule should be applied by evaluating
+                                      a set of conditions. The declaration can contain
+                                      nested `any` or `all` statements. A direct list
+                                      of conditions (without `any` or `all` statements
+                                      is supported for backwards compatibility but
+                                      will be deprecated in the next major release.
+                                      See: https://kyverno.io/docs/writing-policies/preconditions/'
+                                    x-kubernetes-preserve-unknown-fields: true
                                 type: object
                               type: array
                           type: object
@@ -27213,10 +30669,10 @@ spec:
                                 in the list and looping over it to apply the specified
                                 logic.
                               items:
-                                description: ForEach applies validate rules to a list
-                                  of sub-elements by creating a context for each entry
-                                  in the list and looping over it to apply the specified
-                                  logic.
+                                description: ForEachValidation applies validate rules
+                                  to a list of sub-elements by creating a context
+                                  for each entry in the list and looping over it to
+                                  apply the specified logic.
                                 properties:
                                   anyPattern:
                                     description: AnyPattern specifies list of validation
@@ -27232,31 +30688,78 @@ spec:
                                         reference or a APILookup must be provided.
                                       properties:
                                         apiCall:
-                                          description: APICall defines an HTTP request
-                                            to the Kubernetes API server. The JSON
-                                            data retrieved is stored in the context.
+                                          description: APICall is an HTTP request
+                                            to the Kubernetes API server, or other
+                                            JSON web service. The data returned is
+                                            stored in the context with the name for
+                                            the context entry.
                                           properties:
+                                            data:
+                                              description: Data specifies the POST
+                                                data sent to the server.
+                                              items:
+                                                description: RequestData contains
+                                                  the HTTP POST data
+                                                properties:
+                                                  key:
+                                                    description: Key is a unique identifier
+                                                      for the data value
+                                                    type: string
+                                                  value:
+                                                    description: Value is the data
+                                                      value
+                                                    x-kubernetes-preserve-unknown-fields: true
+                                                required:
+                                                - key
+                                                - value
+                                                type: object
+                                              type: array
                                             jmesPath:
                                               description: JMESPath is an optional
                                                 JSON Match Expression that can be
                                                 used to transform the JSON response
-                                                returned from the API server. For
-                                                example a JMESPath of "items | length(@)"
+                                                returned from the server. For example
+                                                a JMESPath of "items | length(@)"
                                                 applied to the API server response
-                                                to the URLPath "/apis/apps/v1/deployments"
+                                                for the URLPath "/apis/apps/v1/deployments"
                                                 will return the total count of deployments
                                                 across all namespaces.
                                               type: string
+                                            method:
+                                              default: GET
+                                              description: Method is the HTTP request
+                                                type (GET or POST).
+                                              enum:
+                                              - GET
+                                              - POST
+                                              type: string
+                                            service:
+                                              description: Service is an API call
+                                                to a JSON web service
+                                              properties:
+                                                caBundle:
+                                                  description: CABundle is a PEM encoded
+                                                    CA bundle which will be used to
+                                                    validate the server certificate.
+                                                  type: string
+                                                url:
+                                                  description: URL is the JSON web
+                                                    service URL. A typical form is
+                                                    `https://{service}.{namespace}:{port}/{path}`.
+                                                  type: string
+                                              required:
+                                              - url
+                                              type: object
                                             urlPath:
                                               description: URLPath is the URL path
-                                                to be used in the HTTP GET request
-                                                to the Kubernetes API server (e.g.
-                                                "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                                to be used in the HTTP GET or POST
+                                                request to the Kubernetes API server
+                                                (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                 The format required is the same format
                                                 used by the `kubectl get --raw` command.
+                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                                for details.
                                               type: string
-                                          required:
-                                          - urlPath
                                           type: object
                                         configMap:
                                           description: ConfigMap is the ConfigMap
@@ -27375,6 +30878,10 @@ spec:
                                                 (using JMESPath) for conditional rule
                                                 evaluation.
                                               x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
                                             operator:
                                               description: 'Operator is the conditional
                                                 operation to perform. Valid operators
@@ -27426,6 +30933,10 @@ spec:
                                                 (using JMESPath) for conditional rule
                                                 evaluation.
                                               x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
                                             operator:
                                               description: 'Operator is the conditional
                                                 operation to perform. Valid operators
@@ -27785,7 +31296,7 @@ spec:
                                   description: Version defines the Pod Security Standard
                                     versions that Kubernetes supports. Allowed values
                                     are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
-                                    v1.25, latest. Defaults to latest.
+                                    v1.25, v1.26, latest. Defaults to latest.
                                   enum:
                                   - v1.19
                                   - v1.20
@@ -27794,6 +31305,7 @@ spec:
                                   - v1.23
                                   - v1.24
                                   - v1.25
+                                  - v1.26
                                   - latest
                                   type: string
                               type: object
@@ -28083,6 +31595,10 @@ spec:
                                                     entry (using JMESPath) for conditional
                                                     rule evaluation.
                                                   x-kubernetes-preserve-unknown-fields: true
+                                                message:
+                                                  description: Message is an optional
+                                                    display message
+                                                  type: string
                                                 operator:
                                                   description: 'Operator is the conditional
                                                     operation to perform. Valid operators
@@ -28135,6 +31651,10 @@ spec:
                                                     entry (using JMESPath) for conditional
                                                     rule evaluation.
                                                   x-kubernetes-preserve-unknown-fields: true
+                                                message:
+                                                  description: Message is an optional
+                                                    display message
+                                                  type: string
                                                 operator:
                                                   description: 'Operator is the conditional
                                                     operation to perform. Valid operators
@@ -28432,6 +31952,14 @@ spec:
                                   signing, for example an email address Deprecated.
                                   Use KeylessAttestor instead.
                                 type: string
+                              type:
+                                description: Type specifies the method of signature
+                                  validation. The allowed options are Cosign and Notary.
+                                  By default Cosign is used if a type is not specified.
+                                enum:
+                                - Cosign
+                                - Notary
+                                type: string
                               verifyDigest:
                                 default: true
                                 description: VerifyDigest validates that images have
@@ -28552,12 +32080,12 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
+    controller-gen.kubebuilder.io/version: v0.11.3
     {{- with .Values.crds.annotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
   labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
+    {{- include "kyverno.crds.labels" . | nindent 4 }}
   name: policyexceptions.kyverno.io
 spec:
   group: kyverno.io
@@ -28593,6 +32121,13 @@ spec:
           spec:
             description: Spec declares policy exception behaviors.
             properties:
+              background:
+                description: Background controls if exceptions are applied to existing
+                  policies during a background scan. Optional. Default value is "true".
+                  The value must be set to "false" if the policy rule uses variables
+                  that are only available in the admission review request (e.g. user
+                  name).
+                type: boolean
               exceptions:
                 description: Exceptions is a list policy/rules to be excluded
                 items:
@@ -28722,6 +32257,21 @@ spec:
                               items:
                                 type: string
                               type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
                             selector:
                               description: 'Selector is a label selector. Label keys
                                 and values in `matchLabels` support the wildcard characters
@@ -28925,6 +32475,21 @@ spec:
                               items:
                                 type: string
                               type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
                             selector:
                               description: 'Selector is a label selector. Label keys
                                 and values in `matchLabels` support the wildcard characters
@@ -29039,12 +32604,12 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
+    controller-gen.kubebuilder.io/version: v0.11.3
     {{- with .Values.crds.annotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
   labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
+    {{- include "kyverno.crds.labels" . | nindent 4 }}
   name: updaterequests.kyverno.io
 spec:
   group: kyverno.io
@@ -29100,7 +32665,7 @@ spec:
           metadata:
             type: object
           spec:
-            description: Spec is the information to identify the update request.
+            description: ResourceSpec is the information to identify the trigger resource.
             properties:
               context:
                 description: Context ...
@@ -29355,6 +32920,10 @@ spec:
                         type: object
                     type: object
                 type: object
+              deleteDownstream:
+                description: DeleteDownstream represents whether the downstream needs
+                  to be deleted.
+                type: boolean
               policy:
                 description: Specifies the name of the policy.
                 type: string
@@ -29365,8 +32934,8 @@ spec:
                 - generate
                 type: string
               resource:
-                description: ResourceSpec is the information to identify the update
-                  request.
+                description: ResourceSpec is the information to identify the trigger
+                  resource.
                 properties:
                   apiVersion:
                     description: APIVersion specifies resource apiVersion.
@@ -29381,10 +32950,19 @@ spec:
                     description: Namespace specifies resource namespace.
                     type: string
                 type: object
+              rule:
+                description: Rule is the associate rule name of the current UR.
+                type: string
+              synchronize:
+                description: Synchronize represents the sync behavior of the corresponding
+                  rule Optional. Defaults to "false" if not specified.
+                type: boolean
             required:
             - context
+            - deleteDownstream
             - policy
             - resource
+            - rule
             type: object
           status:
             description: Status contains statistics related to update request.
@@ -29431,12 +33009,12 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
+    controller-gen.kubebuilder.io/version: v0.11.3
     {{- with .Values.crds.annotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
   labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
+    {{- include "kyverno.crds.labels" . | nindent 4 }}
   name: clusterpolicyreports.wgpolicyk8s.io
 spec:
   group: wgpolicyk8s.io
@@ -29798,12 +33376,12 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
+    controller-gen.kubebuilder.io/version: v0.11.3
     {{- with .Values.crds.annotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
   labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
+    {{- include "kyverno.crds.labels" . | nindent 4 }}
   name: policyreports.wgpolicyk8s.io
 spec:
   group: wgpolicyk8s.io
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/deployment.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/deployment.yaml
deleted file mode 100644
index f2d0bee60..000000000
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/deployment.yaml
+++ /dev/null
@@ -1,174 +0,0 @@
-{{- if not .Values.templating.debug -}}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ template "kyverno.fullname" . }}
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-  namespace: {{ template "kyverno.namespace" . }}
-spec:
-  {{- with .Values.replicaCount }}
-  replicas: {{ . }}
-  {{- end }}
-  selector:
-    matchLabels:
-      {{- include "kyverno.matchLabels" . | nindent 6 }}
-  {{- if .Values.updateStrategy }}
-  strategy:
-    {{ toYaml .Values.updateStrategy | nindent 4 | trim }}
-  {{- end }}
-  template:
-    metadata:
-      labels:
-        {{- include "kyverno.labels" . | nindent 8 }}
-        {{- range $key, $value := .Values.podLabels }}
-        {{ $key }}: {{ $value }}
-        {{- end }}
-      {{- with .Values.podAnnotations }}
-      annotations: {{ tpl (toYaml .) $ | nindent 8 }}
-      {{- end }}
-    spec:
-      {{- with .Values.image.pullSecrets }}
-      imagePullSecrets: {{ tpl (toYaml .) $ | nindent 8 }}
-      {{- end }}
-      {{- with .Values.podSecurityContext }}
-      securityContext: {{ tpl (toYaml .) $ | nindent 8 }}
-      {{- end }}
-      {{- if or .Values.antiAffinity.enable .Values.podAffinity .Values.nodeAffinity }}
-      affinity:
-        {{- if .Values.antiAffinity.enable }}
-        {{- with .Values.podAntiAffinity }}
-        podAntiAffinity:
-          {{- tpl (toYaml .) $ | nindent 10 }}
-        {{- end }}
-        {{- end }}
-        {{- with .Values.podAffinity }}
-        podAffinity:
-          {{- tpl (toYaml .) $ | nindent 10 }}
-        {{- end }}
-        {{- with .Values.nodeAffinity }}
-        nodeAffinity:
-          {{- tpl (toYaml .) $ | nindent 10 }}
-        {{- end }}
-      {{- end }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector: {{ tpl (toYaml .) $ | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations: {{ tpl (toYaml .) $ | nindent 8 }}
-      {{- end }}
-      {{- with .Values.topologySpreadConstraints }}
-      topologySpreadConstraints: {{ tpl (toYaml .) $ | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ template "kyverno.serviceAccountName" . }}
-      {{- if .Values.priorityClassName }}
-      priorityClassName: {{ .Values.priorityClassName | quote }}
-      {{- end }}
-      {{- if .Values.hostNetwork }}
-      hostNetwork: {{ .Values.hostNetwork }}
-      {{- end }}
-      {{- if .Values.dnsPolicy }}
-      dnsPolicy: {{ .Values.dnsPolicy }}
-      {{- end }}
-      initContainers:
-      {{- if .Values.extraInitContainers }}
-        {{- toYaml .Values.extraInitContainers | nindent 8 }}
-      {{- end }}
-        - name: kyverno-pre
-          image: {{ include "kyverno.image" (dict "image" .Values.initImage "defaultTag" (default .Chart.AppVersion .Values.image.tag)) | quote }}
-          imagePullPolicy: {{ default .Values.image.pullPolicy .Values.initImage.pullPolicy }}
-          {{- if .Values.initContainer.extraArgs }}
-          args:
-              {{- tpl (toYaml .Values.initContainer.extraArgs) . | nindent 12 }}
-          {{- end }}
-          {{- with .Values.initResources }}
-          resources: {{ tpl (toYaml .) $ | nindent 12 }}
-          {{- end }}
-          {{- if .Values.securityContext }}
-          securityContext: {{ include "kyverno.securityContext" . | nindent 12 }}
-          {{- end }}
-          env:
-          - name: METRICS_CONFIG
-            value: {{ template "kyverno.metricsConfigMapName" . }}
-          - name: KYVERNO_NAMESPACE
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.namespace
-          - name: KYVERNO_POD_NAME
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.name
-          - name: KYVERNO_DEPLOYMENT
-            value: {{ template "kyverno.fullname" . }}
-          {{- with .Values.envVarsInit }}
-          {{- toYaml . | nindent 10 }}
-          {{- end }}
-      containers:
-      {{- if .Values.extraContainers }}
-        {{- toYaml .Values.extraContainers | nindent 8 }}
-      {{- end }}
-        - name: kyverno
-          image: {{ include "kyverno.image" (dict "image" .Values.image "defaultTag" .Chart.AppVersion) | quote }}
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          {{- if or .Values.extraArgs .Values.imagePullSecrets }}
-          args:
-            {{- if .Values.extraArgs -}}
-              {{ tpl (toYaml .Values.extraArgs) . | nindent 12 }}
-            {{- end }}
-            {{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }}
-            - --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }}
-            {{- end }}
-          {{- end }}
-          {{- with .Values.resources }}
-          resources: {{ tpl (toYaml .) $ | nindent 12 }}
-          {{- end }}
-          {{- if .Values.securityContext }}
-          securityContext: {{ include "kyverno.securityContext" . | nindent 12 }}
-          {{- end }}
-          ports:
-          - containerPort: 9443
-            name: https
-            protocol: TCP
-          - containerPort: 8000
-            name: metrics-port
-            protocol: TCP
-          env:
-          - name: INIT_CONFIG
-            value: {{ template "kyverno.configMapName" . }}
-          - name: METRICS_CONFIG
-            value: {{ template "kyverno.metricsConfigMapName" . }}
-          - name: KYVERNO_NAMESPACE
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.namespace
-          - name: KYVERNO_POD_NAME
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.name
-          - name: KYVERNO_SERVICEACCOUNT_NAME
-            value: {{ template "kyverno.serviceAccountName" . }}
-          - name: KYVERNO_SVC
-            value: {{ template "kyverno.serviceName" . }}
-          - name: TUF_ROOT
-            value: {{ .Values.tufRootMountPath }}
-          {{- with .Values.envVars }}
-          {{- toYaml . | nindent 10 }}
-          {{- end }}
-          - name: KYVERNO_DEPLOYMENT
-            value: {{ template "kyverno.fullname" . }}
-        {{- with .Values.startupProbe }}
-          startupProbe: {{ tpl (toYaml .) $ | nindent 12 }}
-        {{- end }}
-        {{- with .Values.livenessProbe }}
-          livenessProbe: {{ tpl (toYaml .) $ | nindent 12 }}
-        {{- end }}
-        {{- with .Values.readinessProbe }}
-          readinessProbe: {{ tpl (toYaml .) $ | nindent 12 }}
-        {{- end }}
-          volumeMounts:
-            - mountPath: {{ .Values.tufRootMountPath }}
-              name: sigstore
-      volumes:
-      - name: sigstore
-        emptyDir: {}
-{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/grafana/dashboard.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/grafana/dashboard.yaml
index 7f4fb3eea..9e8a414cb 100644
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/grafana/dashboard.yaml
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/grafana/dashboard.yaml
@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ template "kyverno.configMapName" . }}-grafana
+  name: {{ tpl .Values.grafana.configMapName . }}
   namespace: {{ default (include "kyverno.namespace" .) .Values.grafana.namespace }}
   annotations:
     {{- toYaml .Values.grafana.annotations | nindent 4 }}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/helm-pre-delete-hook.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/helm-pre-delete-hook.yaml
deleted file mode 100644
index c0848d44f..000000000
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/helm-pre-delete-hook.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-{{- if .Values.webhooksCleanup.enable }}
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: {{ template "kyverno.fullname" . }}-hook-pre-delete
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": pre-delete
-    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
-spec:
-  template:
-    spec:
-      serviceAccount: {{ template "kyverno.serviceAccountName" . }}
-      containers:
-        - name: kubectl
-          image: {{ .Values.webhooksCleanup.image }}
-          command:
-            - sh
-            - '-c'
-            - >-
-              kubectl delete validatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno;
-              kubectl delete mutatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno;
-      restartPolicy: Never
-  backoffLimit: 2
-{{- end }}
\ No newline at end of file
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/hooks/_helpers.tpl b/scripts/helmcharts/toolings/charts/kyverno/templates/hooks/_helpers.tpl
new file mode 100644
index 000000000..edc290b66
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/hooks/_helpers.tpl
@@ -0,0 +1,15 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.hooks.labels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.common" .)
+  (include "kyverno.hooks.matchLabels" .)
+) -}}
+{{- end -}}
+
+{{- define "kyverno.hooks.matchLabels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.matchLabels.common" .)
+  (include "kyverno.labels.component" "hooks")
+) -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/hooks/pre-delete.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/hooks/pre-delete.yaml
new file mode 100644
index 000000000..d75ec99ae
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/hooks/pre-delete.yaml
@@ -0,0 +1,33 @@
+{{- if .Values.webhooksCleanup.enabled -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "kyverno.fullname" . }}-hook-pre-delete
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.hooks.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+spec:
+  backoffLimit: 2
+  template:
+    spec:
+      serviceAccount: {{ template "kyverno.admission-controller.serviceAccountName" . }}
+      restartPolicy: Never
+      {{- with .Values.webhooksCleanup.imagePullSecrets }}
+      imagePullSecrets: 
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: kubectl
+          image: {{ .Values.webhooksCleanup.image }}
+          command:
+            - sh
+            - '-c'
+            - |-
+              kubectl scale -n {{ template "kyverno.namespace" . }} deployment --all --replicas=0
+              sleep 30
+              kubectl delete validatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
+              kubectl delete mutatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/metricsconfigmap.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/metricsconfigmap.yaml
deleted file mode 100644
index eddd5e0cd..000000000
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/metricsconfigmap.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-{{- if (not .Values.config.existingMetricsConfig) }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-  {{- with .Values.config.metricsConfig.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  name: {{ template "kyverno.metricsConfigMapName" . }}
-  namespace: {{ template "kyverno.namespace" . }}
-{{- if .Values.config.metricsConfig }}
-data:
-  {{- if .Values.config.metricsConfig.namespaces }}
-  namespaces: {{ .Values.config.metricsConfig.namespaces | toJson | quote }}
-  {{- end -}}
-  {{- if .Values.config.metricsConfig.metricsRefreshInterval }}
-  metricsRefreshInterval: {{ .Values.config.metricsConfig.metricsRefreshInterval }}
-  {{- end -}}
-{{- else }}
-data:
-  namespaces: '{"include": [], "exclude": []}'
-  metricsRefreshInterval: 0s
-{{- end }}
-{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/namespace.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/namespace.yaml
deleted file mode 100644
index 3f36992f6..000000000
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/namespace.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-{{- if .Values.templating.enabled -}}
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-  name: {{ template "kyverno.fullname" . }}
-{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/networkpolicy.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/networkpolicy.yaml
deleted file mode 100644
index ac834224f..000000000
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/networkpolicy.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-{{- if .Values.networkPolicy.enabled }}
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-  name: {{ template "kyverno.fullname" . }}
-  namespace: {{ template "kyverno.namespace" . }}
-spec:
-  podSelector:
-    matchLabels:
-      {{- include "kyverno.matchLabels" . | nindent 6 }}
-  policyTypes:
-  - Ingress
-  {{- if .Values.networkPolicy.ingressFrom }}
-  ingress:
-  - from:
-    {{- with .Values.networkPolicy.ingressFrom }}
-      {{- toYaml . | nindent 4 }}
-    {{- end }}
-    ports:
-    - protocol: TCP
-      port: 9443 # webhook access
-  # Allow prometheus scrapes for metrics
-  {{- if .Values.metricsService.create }}
-    - protocol: TCP
-      port: {{ .Values.metricsService.port }}
-  {{- end }}
-  {{- else }}
-  ingress:
-    - {}
-  {{- end }}
-{{- end }}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/poddisruptionbudget.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/poddisruptionbudget.yaml
deleted file mode 100644
index 2e22a0862..000000000
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/poddisruptionbudget.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-{{- if (gt (int .Values.replicaCount) 1) }}
-{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }}
-apiVersion: policy/v1
-{{- else }}
-apiVersion: policy/v1beta1
-{{- end }}
-kind: PodDisruptionBudget
-metadata:
-  name: {{ template "kyverno.fullname" . }}
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-  namespace: {{ template "kyverno.namespace" . }}
-spec:
-  {{- include "kyverno.podDisruptionBudget.spec" . | indent 2 }}
-  selector:
-    matchLabels:
-      {{- include "kyverno.matchLabels" . | nindent 6 }}
-{{- end }}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/rbac/_helpers.tpl b/scripts/helmcharts/toolings/charts/kyverno/templates/rbac/_helpers.tpl
new file mode 100644
index 000000000..e1cc0b114
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/rbac/_helpers.tpl
@@ -0,0 +1,28 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.rbac.labels.admin" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.common" .)
+  (include "kyverno.rbac.matchLabels" .)
+  "rbac.authorization.k8s.io/aggregate-to-admin: 'true'"
+) -}}
+{{- end -}}
+
+{{- define "kyverno.rbac.labels.view" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.common" .)
+  (include "kyverno.rbac.matchLabels" .)
+  "rbac.authorization.k8s.io/aggregate-to-view: 'true'"
+) -}}
+{{- end -}}
+
+{{- define "kyverno.rbac.matchLabels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.matchLabels.common" .)
+  (include "kyverno.labels.component" "rbac")
+) -}}
+{{- end -}}
+
+{{- define "kyverno.rbac.roleName" -}}
+{{ include "kyverno.fullname" . }}:rbac
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/rbac/policies.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/rbac/policies.yaml
new file mode 100644
index 000000000..c949f8077
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/rbac/policies.yaml
@@ -0,0 +1,43 @@
+{{- if .Values.admissionController.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.rbac.roleName" . }}:admin:policies
+  labels:
+    {{- include "kyverno.rbac.labels.admin" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - cleanuppolicies
+      - clustercleanuppolicies
+      - policies
+      - clusterpolicies
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.rbac.roleName" . }}:view:policies
+  labels:
+    {{- include "kyverno.rbac.labels.view" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - cleanuppolicies
+      - clustercleanuppolicies
+      - policies
+      - clusterpolicies
+    verbs:
+      - get
+      - list
+      - watch
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/rbac/policyreports.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/rbac/policyreports.yaml
new file mode 100644
index 000000000..0b85139f7
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/rbac/policyreports.yaml
@@ -0,0 +1,39 @@
+{{- if .Values.admissionController.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.rbac.roleName" . }}:admin:policyreports
+  labels:
+    {{- include "kyverno.rbac.labels.admin" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - wgpolicyk8s.io
+    resources:
+      - policyreports
+      - clusterpolicyreports
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.rbac.roleName" . }}:view:policyreports
+  labels:
+    {{- include "kyverno.rbac.labels.view" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - wgpolicyk8s.io
+    resources:
+      - policyreports
+      - clusterpolicyreports
+    verbs:
+      - get
+      - list
+      - watch
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/rbac/reports.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/rbac/reports.yaml
new file mode 100644
index 000000000..d14529bfb
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/rbac/reports.yaml
@@ -0,0 +1,43 @@
+{{- if .Values.admissionController.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.rbac.roleName" . }}:admin:reports
+  labels:
+    {{- include "kyverno.rbac.labels.admin" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - admissionreports
+      - clusteradmissionreports
+      - backgroundscanreports
+      - clusterbackgroundscanreports
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.rbac.roleName" . }}:view:reports
+  labels:
+    {{- include "kyverno.rbac.labels.view" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - admissionreports
+      - clusteradmissionreports
+      - backgroundscanreports
+      - clusterbackgroundscanreports
+    verbs:
+      - get
+      - list
+      - watch
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/rbac/updaterequests.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/rbac/updaterequests.yaml
new file mode 100644
index 000000000..4d81ad75c
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/rbac/updaterequests.yaml
@@ -0,0 +1,37 @@
+{{- if .Values.admissionController.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.rbac.roleName" . }}:admin:updaterequests
+  labels:
+    {{- include "kyverno.rbac.labels.admin" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - updaterequests
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.rbac.roleName" . }}:view:updaterequests
+  labels:
+    {{- include "kyverno.rbac.labels.view" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - updaterequests
+    verbs:
+      - get
+      - list
+      - watch
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/_helpers.tpl b/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/_helpers.tpl
new file mode 100644
index 000000000..b09f5610e
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/_helpers.tpl
@@ -0,0 +1,39 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.reports-controller.name" -}}
+{{ template "kyverno.name" . }}-reports-controller
+{{- end -}}
+
+{{- define "kyverno.reports-controller.labels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.common" .)
+  (include "kyverno.reports-controller.matchLabels" .)
+) -}}
+{{- end -}}
+
+{{- define "kyverno.reports-controller.matchLabels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.matchLabels.common" .)
+  (include "kyverno.labels.component" "reports-controller")
+) -}}
+{{- end -}}
+
+{{- define "kyverno.reports-controller.image" -}}
+{{- if .image.registry -}}
+  {{ .image.registry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
+{{- else -}}
+  {{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.reports-controller.roleName" -}}
+{{ include "kyverno.fullname" . }}:reports-controller
+{{- end -}}
+
+{{- define "kyverno.reports-controller.serviceAccountName" -}}
+{{- if .Values.reportsController.rbac.create -}}
+    {{ default (include "kyverno.reports-controller.name" .) .Values.reportsController.rbac.serviceAccount.name }}
+{{- else -}}
+    {{ required "A service account name is required when `rbac.create` is set to `false`" .Values.reportsController.rbac.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/clusterrole.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/clusterrole.yaml
new file mode 100644
index 000000000..14010466c
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/clusterrole.yaml
@@ -0,0 +1,90 @@
+{{- if .Values.reportsController.enabled -}}
+{{- if .Values.reportsController.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.reports-controller.roleName" . }}
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+aggregationRule:
+  clusterRoleSelectors:
+    - matchLabels:
+        {{- include "kyverno.reports-controller.matchLabels" . | nindent 8 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.reports-controller.roleName" . }}:core
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - '*'
+    resources:
+      - '*'
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - admissionreports
+      - clusteradmissionreports
+      - backgroundscanreports
+      - clusterbackgroundscanreports
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - deletecollection
+  - apiGroups:
+      - wgpolicyk8s.io
+    resources:
+      - policyreports
+      - policyreports/status
+      - clusterpolicyreports
+      - clusterpolicyreports/status
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - deletecollection
+  - apiGroups:
+      - ''
+      - events.k8s.io
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+{{- with .Values.reportsController.rbac.clusterRole.extraResources }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.reports-controller.roleName" $ }}:additional
+  labels:
+    {{- include "kyverno.reports-controller.labels" $ | nindent 4 }}
+rules:
+  {{- range . }}
+  - apiGroups:
+      {{- toYaml .apiGroups | nindent 6 }}
+    resources:
+      {{- toYaml .resources | nindent 6 }}
+    verbs:
+      - get
+      - list
+      - watch
+  {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml
new file mode 100644
index 000000000..58742e6de
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.reportsController.enabled -}}
+{{- if .Values.reportsController.rbac.create -}}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.reports-controller.roleName" . }}
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "kyverno.reports-controller.roleName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "kyverno.reports-controller.serviceAccountName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+{{- end -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/deployment.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/deployment.yaml
new file mode 100644
index 000000000..b9bd15bb8
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/deployment.yaml
@@ -0,0 +1,154 @@
+{{- if .Values.reportsController.enabled -}}
+{{- if not .Values.templating.debug -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "kyverno.reports-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+spec:
+  replicas: {{ template "kyverno.deployment.replicas" .Values.reportsController.replicas }}
+  {{- with .Values.reportsController.updateStrategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "kyverno.reports-controller.matchLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "kyverno.reports-controller.labels" . | nindent 8 }}
+        {{- with .Values.reportsController.podLabels }}
+        {{- tpl (toYaml .) $ | nindent 8 }}
+        {{- end }}
+      {{- with .Values.reportsController.podAnnotations }}
+      annotations: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- with .Values.reportsController.imagePullSecrets }}
+      imagePullSecrets: 
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.reportsController.podSecurityContext }}
+      securityContext:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.reportsController.nodeSelector }}
+      nodeSelector:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.reportsController.tolerations }}
+      tolerations:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.reportsController.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.reportsController.priorityClassName }}
+      priorityClassName: {{ . | quote }}
+      {{- end }}
+      {{- with .Values.reportsController.hostNetwork }}
+      hostNetwork: {{ . }}
+      {{- end }}
+      {{- with .Values.reportsController.dnsPolicy }}
+      dnsPolicy: {{ . }}
+      {{- end }}
+      {{- if or .Values.reportsController.antiAffinity.enabled .Values.reportsController.podAffinity .Values.reportsController.nodeAffinity }}
+      affinity:
+        {{- if .Values.reportsController.antiAffinity.enabled }}
+        {{- with .Values.reportsController.podAntiAffinity }}
+        podAntiAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- end }}
+        {{- with .Values.reportsController.podAffinity }}
+        podAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.reportsController.nodeAffinity }}
+        nodeAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+      {{- end }}
+      serviceAccountName: {{ template "kyverno.reports-controller.serviceAccountName" . }}
+      containers:
+        - name: controller
+          image: {{ include "kyverno.reports-controller.image" (dict "image" .Values.reportsController.image "defaultTag" .Chart.AppVersion) | quote }}
+          ports:
+          - containerPort: 9443
+            name: https
+            protocol: TCP
+          - containerPort: 8000
+            name: metrics
+            protocol: TCP
+          args:
+            {{- if .Values.reportsController.tracing.enabled }}
+            - --enableTracing
+            - --tracingAddress={{ .Values.reportsController.tracing.address }}
+            - --tracingPort={{ .Values.reportsController.tracing.port }}
+            {{- with .Values.reportsController.tracing.creds }}
+            - --tracingCreds={{ . }}
+            {{- end }}
+            {{- end }}
+            - --disableMetrics={{ .Values.reportsController.metering.disabled }}
+            {{- if not .Values.reportsController.metering.disabled }}
+            - --otelConfig={{ .Values.reportsController.metering.config }}
+            - --metricsPort={{ .Values.reportsController.metering.port }}
+            {{- with .Values.reportsController.metering.collector }}
+            - --otelCollector={{ . }}
+            {{- end }}
+            {{- with .Values.reportsController.metering.creds }}
+            - --transportCreds={{ . }}
+            {{- end }}
+            {{- end }}
+            {{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }}
+            - --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }}
+            {{- end }}
+            {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.reportsController.featuresOverride)
+              "admissionReports"
+              "backgroundScan"
+              "configMapCaching"
+              "logging"
+              "omitEvents"
+              "policyExceptions"
+              "reports"
+              "registryClient"
+            ) | nindent 12 }}
+            {{- range $key, $value := .Values.reportsController.extraArgs }}
+            {{- if $value }}
+            - --{{ $key }}={{ $value }}
+            {{- end }}
+            {{- end }}
+          env:
+          - name: INIT_CONFIG
+            value: {{ template "kyverno.config.configMapName" . }}
+          - name: METRICS_CONFIG
+            value: {{ template "kyverno.config.metricsConfigMapName" . }}
+          - name: KYVERNO_POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: KYVERNO_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: TUF_ROOT
+            value: {{ .Values.reportsController.tufRootMountPath }}
+          {{- with .Values.reportsController.resources }}
+          resources: {{ tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .Values.reportsController.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - mountPath: {{ .Values.reportsController.tufRootMountPath }}
+              name: sigstore
+      volumes:
+      - name: sigstore
+        {{- toYaml (required "A valid .Values.reportsController.sigstoreVolume entry is required" .Values.reportsController.sigstoreVolume) | nindent 8 }}
+{{- end -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/networkpolicy.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/networkpolicy.yaml
new file mode 100644
index 000000000..e70c6d821
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/networkpolicy.yaml
@@ -0,0 +1,30 @@
+{{- if .Values.reportsController.enabled -}}
+{{- if .Values.reportsController.networkPolicy.enabled -}}
+{{- if .Values.reportsController.metricsService.create -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "kyverno.reports-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "kyverno.reports-controller.matchLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+  {{- if .Values.reportsController.networkPolicy.ingressFrom }}
+  ingress:
+    - from:
+        {{- toYaml .Values.reportsController.networkPolicy.ingressFrom | nindent 8 }}
+      ports:
+        - protocol: TCP
+          port: {{ .Values.reportsController.metricsService.port }}
+  {{- else }}
+  ingress:
+    - {}
+  {{- end }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/poddisruptionbudget.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/poddisruptionbudget.yaml
new file mode 100644
index 000000000..b1fdc7a50
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/poddisruptionbudget.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.reportsController.enabled -}}
+{{- if (gt (int .Values.reportsController.replicas) 1) -}}
+apiVersion: {{ template "kyverno.pdb.apiVersion" . }}
+kind: PodDisruptionBudget
+metadata:
+  name: {{ template "kyverno.reports-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+spec:
+  {{- include "kyverno.pdb.spec" .Values.reportsController.podDisruptionBudget | nindent 2 }}
+  selector:
+    matchLabels:
+      {{- include "kyverno.reports-controller.matchLabels" . | nindent 6 }}
+{{- end -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/role.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/role.yaml
new file mode 100644
index 000000000..266e5adb8
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/role.yaml
@@ -0,0 +1,33 @@
+{{- if .Values.reportsController.enabled -}}
+{{- if .Values.reportsController.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "kyverno.reports-controller.roleName" . }}
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+  namespace: {{ template "kyverno.namespace" . }}
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+    resourceNames:
+      - {{ include "kyverno.config.configMapName" . }}
+      - {{ include "kyverno.config.metricsConfigMapName" . }}
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+      - delete
+      - get
+      - patch
+      - update
+{{- end -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/rolebinding.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/rolebinding.yaml
new file mode 100644
index 000000000..d43066b3b
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/rolebinding.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.reportsController.enabled -}}
+{{- if .Values.reportsController.rbac.create -}}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.reports-controller.roleName" . }}
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+  namespace: {{ template "kyverno.namespace" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "kyverno.reports-controller.roleName" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kyverno.reports-controller.serviceAccountName" . }}
+    namespace: {{ template "kyverno.namespace" . }}
+{{- end -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/service.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/service.yaml
new file mode 100644
index 000000000..6eee2170d
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/service.yaml
@@ -0,0 +1,27 @@
+{{- if .Values.reportsController.enabled -}}
+{{- if .Values.reportsController.metricsService.create -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyverno.reports-controller.name" . }}-metrics
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+  {{- with .Values.reportsController.metricsService.annotations }}
+  annotations:
+    {{- tpl (toYaml .) $ | nindent 4 }}
+  {{- end }}
+spec:
+  ports:
+  - port: {{ .Values.reportsController.metricsService.port }}
+    targetPort: 8000
+    protocol: TCP
+    name: metrics-port
+    {{- if and (eq .Values.reportsController.metricsService.type "NodePort") (not (empty .Values.reportsController.metricsService.nodePort)) }}
+    nodePort: {{ .Values.reportsController.metricsService.nodePort }}
+    {{- end }}
+  selector:
+    {{- include "kyverno.reports-controller.matchLabels" . | nindent 4 }}
+  type: {{ .Values.reportsController.metricsService.type }}
+{{- end -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/serviceaccount.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/serviceaccount.yaml
new file mode 100644
index 000000000..44ddeda44
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/serviceaccount.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.reportsController.enabled -}}
+{{- if .Values.reportsController.rbac.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "kyverno.reports-controller.serviceAccountName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+  {{- with .Values.reportsController.rbac.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/servicemonitor.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/servicemonitor.yaml
new file mode 100644
index 000000000..2c515d60c
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/servicemonitor.yaml
@@ -0,0 +1,34 @@
+{{- if .Values.reportsController.enabled -}}
+{{- if .Values.reportsController.serviceMonitor.enabled -}}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "kyverno.reports-controller.name" . }}
+  {{- if .Values.reportsController.serviceMonitor.namespace }}
+  namespace: {{ .Values.reportsController.serviceMonitor.namespace }}
+  {{- else }}
+  namespace: {{ template "kyverno.namespace" . }}
+  {{- end }}
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+    {{- with .Values.reportsController.serviceMonitor.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "kyverno.reports-controller.matchLabels" . | nindent 6 }}
+  namespaceSelector:
+    matchNames:
+    - {{ template "kyverno.namespace" . }}
+  endpoints:
+  - port: metrics-port
+    interval: {{ .Values.reportsController.serviceMonitor.interval }}
+    scrapeTimeout: {{ .Values.reportsController.serviceMonitor.scrapeTimeout }}
+    {{- if .Values.reportsController.serviceMonitor.secure }}
+    scheme: https
+    tlsConfig:
+      {{- toYaml .Values.reportsController.serviceMonitor.tlsConfig | nindent 8 }}
+    {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/role.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/role.yaml
deleted file mode 100644
index ac6b2a20b..000000000
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/role.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-{{- if .Values.rbac.create }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ template "kyverno.fullname" . }}:leaderelection
-  namespace: {{ template "kyverno.namespace" . }}
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-    - coordination.k8s.io
-  resources:
-    - leases
-  verbs:
-    - create
-    - delete
-    - get
-    - patch
-    - update
-# Allow update of Kyverno deployment annotations
-- apiGroups:
-    - apps
-  resources:
-    - deployments
-  verbs:
-    - get
-    - list
-    - patch
-    - update
-    - watch
-{{- end }}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/rolebinding.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/rolebinding.yaml
deleted file mode 100644
index abb3fbb96..000000000
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/rolebinding.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-{{- if .Values.rbac.create }}
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ template "kyverno.fullname" . }}:leaderelection
-  namespace: {{ template "kyverno.namespace" . }}
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ template "kyverno.fullname" . }}:leaderelection
-subjects:
-- kind: ServiceAccount
-  name: {{ template "kyverno.serviceAccountName" . }}
-  namespace: {{ template "kyverno.namespace" . }}
-{{- end }}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/service.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/service.yaml
deleted file mode 100644
index bca0fa3c2..000000000
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/service.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ template "kyverno.serviceName" . }}
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-  namespace: {{ template "kyverno.namespace" . }}
-  {{- with .Values.service.annotations }}
-  annotations: {{ tpl (toYaml .) $ | nindent 4 }}
-  {{- end }}
-spec:
-  ports:
-  - port: {{ .Values.service.port }}
-    targetPort: https
-    protocol: TCP
-    name: https
-    {{- if and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort)) }}
-    nodePort: {{ .Values.service.nodePort }}
-    {{- end }}
-  selector:
-    {{- include "kyverno.matchLabels" . | nindent 4 }}
-  type: {{ .Values.service.type }}
----
-{{- if .Values.metricsService.create }}
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ template "kyverno.serviceName" . }}-metrics
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-  namespace: {{ template "kyverno.namespace" . }}
-  {{- with .Values.metricsService.annotations }}
-  annotations: {{ tpl (toYaml .) $ | nindent 4 }}
-  {{- end }}
-spec:
-  ports:
-  - port: {{ .Values.metricsService.port }}
-    targetPort: 8000
-    protocol: TCP
-    name: metrics-port
-    {{- if and (eq .Values.metricsService.type "NodePort") (not (empty .Values.metricsService.nodePort)) }}
-    nodePort: {{ .Values.metricsService.nodePort }}
-    {{- end }}
-  selector:
-    {{- include "kyverno.matchLabels" . | nindent 4 }}
-  type: {{ .Values.metricsService.type }}
-{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/serviceaccount.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/serviceaccount.yaml
deleted file mode 100644
index 83265e8a0..000000000
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/serviceaccount.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-{{- if .Values.rbac.create }}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ template "kyverno.serviceAccountName" . }}
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-  {{- if .Values.rbac.serviceAccount.annotations }}
-  annotations: {{ toYaml .Values.rbac.serviceAccount.annotations | nindent 4 }}
-  {{- end }}
-  namespace: {{ template "kyverno.namespace" . }}
-{{- end }}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/servicemonitor.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/servicemonitor.yaml
deleted file mode 100644
index 33c192ea6..000000000
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/servicemonitor.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-{{- if .Values.serviceMonitor.enabled }}
-apiVersion: "monitoring.coreos.com/v1"
-kind: ServiceMonitor
-metadata:
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-{{- if .Values.serviceMonitor.additionalLabels }}
-{{ toYaml .Values.serviceMonitor.additionalLabels | indent 4 }}
-{{- end }}
-  name: {{ template "kyverno.serviceName" . }}-service-monitor
-{{- if .Values.serviceMonitor.namespace }}
-  namespace: {{ .Values.serviceMonitor.namespace }}
-{{- else }}
-  namespace: {{ template "kyverno.namespace" . }}
-{{- end }}
-spec:
-  selector:
-    matchLabels:
-      {{- include "kyverno.matchLabels" . | nindent 6 }}
-  namespaceSelector:
-    matchNames:
-    - {{ template "kyverno.namespace" . }}
-  endpoints:
-  - port: metrics-port
-    interval: {{ .Values.serviceMonitor.interval }}
-    scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
-  {{- if .Values.serviceMonitor.secure }}
-    scheme: https
-    tlsConfig:
-      {{- toYaml .Values.serviceMonitor.tlsConfig | nindent 8 }}
-    {{- end }}
-{{- end }}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/tests/_helpers.tpl b/scripts/helmcharts/toolings/charts/kyverno/templates/tests/_helpers.tpl
new file mode 100644
index 000000000..f1e1a3ed3
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/tests/_helpers.tpl
@@ -0,0 +1,27 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.test.labels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.common" .)
+  (include "kyverno.test.matchLabels" .)
+) -}}
+{{- end -}}
+
+{{- define "kyverno.test.matchLabels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.matchLabels.common" .)
+  (include "kyverno.labels.component" "test")
+) -}}
+{{- end -}}
+
+{{- define "kyverno.test.annotations" -}}
+helm.sh/hook: test
+{{- end -}}
+
+{{- define "kyverno.test.image" -}}
+{{- template "kyverno.image" (dict "image" .Values.test.image "defaultTag" "latest") -}}
+{{- end -}}
+
+{{- define "kyverno.test.imagePullPolicy" -}}
+{{- default .Values.admissionController.container.image.pullPolicy .Values.test.image.pullPolicy -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/tests/admission-controller-liveness.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/tests/admission-controller-liveness.yaml
new file mode 100644
index 000000000..97c671a86
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/tests/admission-controller-liveness.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ template "kyverno.fullname" . }}-admission-controller-liveness
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.test.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kyverno.test.annotations" . | nindent 4 }}
+spec:
+  restartPolicy: Never
+  containers:
+    - name: test
+      image: {{ template "kyverno.test.image" . }}
+      imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }}
+      {{- with .Values.test.resources }}
+      resources:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.test.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      command:
+        - /bin/sh
+        - -c
+        - sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.admissionController.service.port }}/health/liveness
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/tests/admission-controller-metrics.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/tests/admission-controller-metrics.yaml
new file mode 100644
index 000000000..514a6c262
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/tests/admission-controller-metrics.yaml
@@ -0,0 +1,29 @@
+{{- if .Values.admissionController.metricsService.create -}}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ template "kyverno.fullname" . }}-admission-controller-metrics
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.test.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kyverno.test.annotations" . | nindent 4 }}
+spec:
+  restartPolicy: Never
+  containers:
+    - name: test
+      image: {{ template "kyverno.test.image" . }}
+      imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }}
+      {{- with .Values.test.resources }}
+      resources:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.test.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      command:
+        - /bin/sh
+        - -c
+        - sleep 20 ; wget -O- -S --no-check-certificate http://{{ template "kyverno.admission-controller.serviceName" . }}-metrics.{{ template "kyverno.namespace" . }}:{{ .Values.admissionController.metricsService.port }}/metrics
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/tests/admission-controller-readiness.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/tests/admission-controller-readiness.yaml
new file mode 100644
index 000000000..fb1d34a08
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/tests/admission-controller-readiness.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ template "kyverno.fullname" . }}-admission-controller-readiness
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.test.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kyverno.test.annotations" . | nindent 4 }}
+spec:
+  restartPolicy: Never
+  containers:
+    - name: test
+      image: {{ template "kyverno.test.image" . }}
+      imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }}
+      {{- with .Values.test.resources }}
+      resources:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.test.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      command:
+        - /bin/sh
+        - -c
+        - sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.admissionController.service.port }}/health/readiness
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/tests/cleanup-controller-liveness.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/tests/cleanup-controller-liveness.yaml
new file mode 100644
index 000000000..21b44011d
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/tests/cleanup-controller-liveness.yaml
@@ -0,0 +1,29 @@
+{{- if .Values.cleanupController.enabled -}}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ template "kyverno.fullname" . }}-cleanup-controller-liveness
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.test.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kyverno.test.annotations" . | nindent 4 }}
+spec:
+  restartPolicy: Never
+  containers:
+    - name: test
+      image: {{ template "kyverno.test.image" . }}
+      imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }}
+      {{- with .Values.test.resources }}
+      resources:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.test.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      command:
+        - /bin/sh
+        - -c
+        - sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.cleanupController.service.port }}/health/liveness
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/tests/cleanup-controller-metrics.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/tests/cleanup-controller-metrics.yaml
new file mode 100644
index 000000000..c3cd51961
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/tests/cleanup-controller-metrics.yaml
@@ -0,0 +1,29 @@
+{{- if and .Values.cleanupController.enabled .Values.cleanupController.metricsService.create -}}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ template "kyverno.fullname" . }}-cleanup-controller-metrics
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.test.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kyverno.test.annotations" . | nindent 4 }}
+spec:
+  restartPolicy: Never
+  containers:
+    - name: test
+      image: {{ template "kyverno.test.image" . }}
+      imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }}
+      {{- with .Values.test.resources }}
+      resources:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.test.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      command:
+        - /bin/sh
+        - -c
+        - sleep 20 ; wget -O- -S --no-check-certificate http://{{ template "kyverno.cleanup-controller.name" . }}-metrics.{{ template "kyverno.namespace" . }}:{{ .Values.cleanupController.metricsService.port }}/metrics
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/tests/cleanup-controller-readiness.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/tests/cleanup-controller-readiness.yaml
new file mode 100644
index 000000000..17752a3a3
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/tests/cleanup-controller-readiness.yaml
@@ -0,0 +1,29 @@
+{{- if .Values.cleanupController.enabled -}}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ template "kyverno.fullname" . }}-cleanup-controller-readiness
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.test.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kyverno.test.annotations" . | nindent 4 }}
+spec:
+  restartPolicy: Never
+  containers:
+    - name: test
+      image: {{ template "kyverno.test.image" . }}
+      imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }}
+      {{- with .Values.test.resources }}
+      resources:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.test.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      command:
+        - /bin/sh
+        - -c
+        - sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.cleanupController.service.port }}/health/readiness
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/tests/reports-controller-metrics.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/tests/reports-controller-metrics.yaml
new file mode 100644
index 000000000..ecc3be9b4
--- /dev/null
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/tests/reports-controller-metrics.yaml
@@ -0,0 +1,29 @@
+{{- if and .Values.reportsController.enabled .Values.reportsController.metricsService.create -}}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ template "kyverno.fullname" . }}-reports-controller-metrics
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.test.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kyverno.test.annotations" . | nindent 4 }}
+spec:
+  restartPolicy: Never
+  containers:
+    - name: test
+      image: {{ template "kyverno.test.image" . }}
+      imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }}
+      {{- with .Values.test.resources }}
+      resources:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.test.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      command:
+        - /bin/sh
+        - -c
+        - sleep 20 ; wget -O- -S --no-check-certificate http://{{ template "kyverno.reports-controller.name" . }}-metrics.{{ template "kyverno.namespace" . }}:{{ .Values.reportsController.metricsService.port }}/metrics
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/tests/test.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/tests/test.yaml
deleted file mode 100644
index 75345dbac..000000000
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/tests/test.yaml
+++ /dev/null
@@ -1,39 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "{{ template "kyverno.fullname" . }}-test"
-  labels:
-    {{- include "kyverno.test-labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": test
-spec:
-  restartPolicy: Never
-  containers:
-    - name: wget
-      image: {{ include "kyverno.image" (dict "image" .Values.testImage "defaultTag" "latest") | quote }}
-      imagePullPolicy: {{ default .Values.image.pullPolicy .Values.testImage.pullPolicy }}
-      {{- with .Values.testResources }}
-      resources: {{ tpl (toYaml .) $ | nindent 8 }}
-      {{- end }}
-      {{- if .Values.testSecurityContext }}
-      securityContext: {{ include "kyverno.testSecurityContext" . | nindent 8 }}
-      {{- end }}
-      command:
-        - /bin/sh
-        - -c
-        - |
-          sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.serviceName" . }}:{{ .Values.service.port }}/health/liveness
-    - name: wget-metrics
-      image: {{ include "kyverno.image" (dict "image" .Values.testImage "defaultTag" "latest") | quote }}
-      imagePullPolicy: {{ default .Values.image.pullPolicy .Values.testImage.pullPolicy }}
-      {{- with .Values.testResources }}
-      resources: {{ tpl (toYaml .) $ | nindent 8 }}
-      {{- end }}
-      {{- if .Values.testSecurityContext }}
-      securityContext: {{ include "kyverno.testSecurityContext" . | nindent 8 }}
-      {{- end }}
-      command:
-        - /bin/sh
-        - -c
-        - |
-          sleep 20 ; wget -O- -S --no-check-certificate http://{{ template "kyverno.serviceName" . }}-metrics:{{ .Values.metricsService.port }}/metrics
diff --git a/scripts/helmcharts/toolings/charts/kyverno/templates/validate.yaml b/scripts/helmcharts/toolings/charts/kyverno/templates/validate.yaml
index 35864e9c1..fab8dd8de 100644
--- a/scripts/helmcharts/toolings/charts/kyverno/templates/validate.yaml
+++ b/scripts/helmcharts/toolings/charts/kyverno/templates/validate.yaml
@@ -1,13 +1,30 @@
-{{- if hasKey .Values "mode" }}
-  {{ fail "mode is not supported anymore, please remove it from your release and use replicaCount instead." }}
-{{- end }}
+{{- if hasKey .Values "mode" -}}
+  {{- fail "mode is not supported anymore, please remove it from your release and use admissionController.replicas instead." -}}
+{{- end -}}
 
-{{- if .Values.replicaCount }}
-  {{- if eq (int .Values.replicaCount) 2 }}
-    {{ fail "Kyverno does not support running with 2 replicas. For a highly-available deployment, select 3 replicas or for standalone select 1 replica." }}
-  {{- end }}
-{{- end }}
+{{- if .Values.admissionController.replicas -}}
+  {{- if eq (int .Values.admissionController.replicas) 2 -}}
+    {{- fail "Kyverno does not support running with 2 replicas. For a highly-available deployment, select 3 replicas or for standalone select 1 replica." -}}
+  {{- end -}}
+{{- end -}}
 
-{{- if eq (include "kyverno.namespace" .) "kube-system" }}
-    {{ fail "Kyverno cannot be installed in namespace kube-system." }}
-{{- end }}
+{{- if eq (include "kyverno.namespace" .) "kube-system" -}}
+  {{- fail "Kyverno cannot be installed in namespace kube-system." -}}
+{{- end -}}
+
+{{- if not .Values.upgrade.fromV2 -}}
+  {{- $v2 := lookup "apps/v1" "Deployment" (include "kyverno.namespace" .) (include "kyverno.fullname" .) -}}
+  {{- if $v2 -}}
+    {{- fail (join "\n" (list
+      ""
+      ""
+      "  +--------------------------------------------------------------------------------------------------------------------------------------+"
+      "  | An earlier Helm installation of Kyverno was detected.                                                                                |"
+      "  | Given this chart version has significant breaking changes, the upgrade has been blocked.                                             |"
+      "  | Please review the release notes and chart README section and then, once prepared, set `upgrade.fromV2: true` once ready to proceed.  |"
+      "  +--------------------------------------------------------------------------------------------------------------------------------------+"
+      ""
+      ))
+    -}}
+  {{- end -}}
+{{- end -}}
diff --git a/scripts/helmcharts/toolings/charts/kyverno/values.yaml b/scripts/helmcharts/toolings/charts/kyverno/values.yaml
index 951c3cf85..f1cd3e012 100644
--- a/scripts/helmcharts/toolings/charts/kyverno/values.yaml
+++ b/scripts/helmcharts/toolings/charts/kyverno/values.yaml
@@ -3,362 +3,194 @@
 templating:
   enabled: false
   debug: false
-  version:
+  version: ~
 
-# -- Override the name of the chart
-nameOverride:
+# -- (string) Override the name of the chart
+nameOverride: ~
 
-# -- Override the expanded name of the chart
-fullnameOverride:
+# -- (string) Override the expanded name of the chart
+fullnameOverride: ~
 
-# -- Namespace the chart deploys to
-namespace:
+# -- (string) Override the namespace the chart deploys to
+namespaceOverride: ~
 
-# -- Additional labels
-customLabels: {}
+upgrade:
+  # -- Upgrading from v2 to v3 is not allowed by default, set this to true once changes have been reviewed.
+  fromV2: false
 
-rbac:
-  # -- Create ClusterRoles, ClusterRoleBindings, and ServiceAccount
-  create: true
-  serviceAccount:
-    # -- Create a ServiceAccount
-    create: true
-    # -- The ServiceAccount name
-    name:
-    # -- Annotations for the ServiceAccount
-    annotations: {}
-      # example.com/annotation: value
+apiVersionOverride:
+  # -- (string) Override api version used to create `PodDisruptionBudget`` resources.
+  # When not specified the chart will check if `policy/v1/PodDisruptionBudget` is available to
+  # determine the api version automatically.
+  podDisruptionBudget: ~
 
-image:
-  # -- Image registry
-  registry:
-  # If you want to manage the registry you should remove it from the repository
-  # registry: ghcr.io
-  # repository: kyverno/kyverno
-  # -- Image repository
-  repository: ghcr.io/kyverno/kyverno  # kyverno: replaced in e2e tests
-  # -- Image tag
-  # Defaults to appVersion in Chart.yaml if omitted
-  tag:  # replaced in e2e tests
-  # -- Image pull policy
-  pullPolicy: IfNotPresent
-  # -- Image pull secrets
-  pullSecrets: []
-  # - secretName
+# CRDs configuration
+crds:
 
-initImage:
-  # -- Image registry
-  registry:
-  # If you want to manage the registry you should remove it from the repository
-  # registry: ghcr.io
-  # repository: kyverno/kyvernopre
-  # -- Image repository
-  repository: ghcr.io/kyverno/kyvernopre  # init: replaced in e2e tests
-  # -- Image tag
-  # If initImage.tag is missing, defaults to image.tag
-  tag:  # replaced in e2e tests
-  # -- Image pull policy
-  # If initImage.pullPolicy is missing, defaults to image.pullPolicy
-  pullPolicy:
+  # -- Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created
+  install: true
 
-initContainer:
-  # -- Extra arguments to give to the kyvernopre binary.
-  extraArgs:
-    - --loggingFormat=text
-
-
-testImage:
-  # -- Image registry
-  registry:
-  # -- Image repository
-  repository: busybox
-  # -- Image tag
-  # Defaults to `latest` if omitted
-  tag: 1.35
-  # -- Image pull policy
-  # Defaults to image.pullPolicy if omitted
-  pullPolicy:
-
-# -- (int) Desired number of pods
-replicaCount: ~
-
-# -- Additional labels to add to each pod
-podLabels: {}
-  # example.com/label: foo
-
-# -- Additional annotations to add to each pod
-podAnnotations: {}
-  # example.com/annotation: foo
-
-# -- Security context for the pod
-podSecurityContext: {}
-
-# -- Security context for the containers
-securityContext:
-  runAsNonRoot: true
-  privileged: false
-  allowPrivilegeEscalation: false
-  readOnlyRootFilesystem: true
-  capabilities:
-    drop:
-      - ALL
-  seccompProfile:
-    type: RuntimeDefault
-
-# -- Security context for the test containers
-testSecurityContext:
-  runAsUser: 65534
-  runAsGroup: 65534
-  runAsNonRoot: true
-  privileged: false
-  allowPrivilegeEscalation: false
-  readOnlyRootFilesystem: true
-  capabilities:
-    drop:
-      - ALL
-  seccompProfile:
-    type: RuntimeDefault
-
-# -- Optional priority class to be used for kyverno pods
-priorityClassName: ''
-
-antiAffinity:
-  # -- Pod antiAffinities toggle.
-  # Enabled by default but can be disabled if you want to schedule pods to the same node.
-  enable: true
-
-# -- Pod anti affinity constraints.
-# @default -- See [values.yaml](values.yaml)
-podAntiAffinity:
-  preferredDuringSchedulingIgnoredDuringExecution:
-    - weight: 1
-      podAffinityTerm:
-        labelSelector:
-          matchExpressions:
-            - key: app.kubernetes.io/name
-              operator: In
-              values:
-                - '{{ template "kyverno.name" . }}'
-        topologyKey: kubernetes.io/hostname
-
-# -- Pod affinity constraints.
-podAffinity: {}
-
-# -- Node affinity constraints.
-nodeAffinity: {}
-
-podDisruptionBudget:
-  # -- Configures the minimum available pods for kyverno disruptions.
-  # Cannot be used if `maxUnavailable` is set.
-  minAvailable: 1
-  # -- Configures the maximum unavailable pods for kyverno disruptions.
-  # Cannot be used if `minAvailable` is set.
-  maxUnavailable:
-
-# -- Node labels for pod assignment
-nodeSelector: {}
-
-# -- List of node taints to tolerate
-tolerations: []
-
-# -- Change `hostNetwork` to `true` when you want the kyverno's pod to share its host's network namespace.
-# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
-# Update the `dnsPolicy` accordingly as well to suit the host network mode.
-hostNetwork: false
-
-# -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
-# In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
-# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
-dnsPolicy: ClusterFirst
-
-# -- Env variables for initContainers.
-envVarsInit: {}
-
-# -- Env variables for containers.
-envVars: {}
-
-# -- Extra arguments to give to the binary.
-extraArgs:
-  - --loggingFormat=text
-  - --exceptionNamespace={{ include "kyverno.namespace" . }}
-
-# -- Array of extra init containers
-extraInitContainers: []
-# Example:
-# - name: init-container
-#   image: busybox
-#   command: ['sh', '-c', 'echo Hello']
-
-# -- Array of extra containers to run alongside kyverno
-extraContainers: []
-# Example:
-# - name: myapp-container
-#   image: busybox
-#   command: ['sh', '-c', 'echo Hello && sleep 3600']
-
-# -- Image pull secrets for image verify and imageData policies.
-# This will define the `--imagePullSecrets` Kyverno argument.
-imagePullSecrets: {}
-  # Define two image pull secrets
-  # imagePullSecrets:
-  #   regcred:
-  #     registry: foo.example.com
-  #     username: foobar
-  #     password: secret
-  #   regcred2:
-  #     registry: bar.example.com
-  #     username: barbaz
-  #     password: secret2
-
-
-# -- Existing Image pull secrets for image verify and imageData policies.
-# This will define the `--imagePullSecrets` Kyverno argument.
-existingImagePullSecrets: []
-  # Define an existing image pull secret
-  # existingImagePullSecrets:
-  # - test-registry
-  # - other-test-registry
-
-resources:
-  # -- Pod resource limits
-  limits:
-    memory: 384Mi
-  # -- Pod resource requests
-  requests:
-    cpu: 100m
-    memory: 128Mi
-
-initResources:
-  # -- Pod resource limits
-  limits:
-    cpu: 100m
-    memory: 256Mi
-  # -- Pod resource requests
-  requests:
-    cpu: 10m
-    memory: 64Mi
-
-testResources:
-  # -- Pod resource limits
-  limits:
-    cpu: 100m
-    memory: 256Mi
-  # -- Pod resource requests
-  requests:
-    cpu: 10m
-    memory: 64Mi
-
-# -- Startup probe.
-# The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want.
-# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
-# @default -- See [values.yaml](values.yaml)
-startupProbe:
-  httpGet:
-    path: /health/liveness
-    port: 9443
-    scheme: HTTPS
-  failureThreshold: 20
-  initialDelaySeconds: 2
-  periodSeconds: 6
-
-# -- Liveness probe.
-# The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
-# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
-# @default -- See [values.yaml](values.yaml)
-livenessProbe:
-  httpGet:
-    path: /health/liveness
-    port: 9443
-    scheme: HTTPS
-  initialDelaySeconds: 15
-  periodSeconds: 30
-  timeoutSeconds: 5
-  failureThreshold: 2
-  successThreshold: 1
-
-# -- Readiness Probe.
-# The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.
-# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
-# @default -- See [values.yaml](values.yaml)
-readinessProbe:
-  httpGet:
-    path: /health/readiness
-    port: 9443
-    scheme: HTTPS
-  initialDelaySeconds: 5
-  periodSeconds: 10
-  timeoutSeconds: 5
-  failureThreshold: 6
-  successThreshold: 1
-
-# -- Additional resources to be added to controller RBAC permissions.
-generatecontrollerExtraResources: []
-# - ResourceA
-# - ResourceB
-
-# -- Exclude Kyverno namespace
-# Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters
-excludeKyvernoNamespace: true
-
-# -- resourceFilter namespace exclude
-# Namespaces to exclude from the default resourceFilters
-resourceFiltersExcludeNamespaces: []
+  # -- Additional CRDs annotations
+  annotations: {}
+    # argocd.argoproj.io/sync-options: Replace=true
+    # strategy.spinnaker.io/replace: 'true'
 
+# Configuration
 config:
+
+  # -- Create the configmap.
+  create: true
+
+  # -- (string) The configmap name (required if `create` is `false`).
+  name: ~
+
+  # -- Additional annotations to add to the configmap.
+  annotations: {}
+
+  # -- Enable registry mutation for container images. Enabled by default.
+  enableDefaultRegistryMutation: true
+
+  # -- The registry hostname used for the image mutation.
+  defaultRegistry: docker.io
+
+  # -- Exclude groups
+  excludeGroups:
+    - system:nodes
+
+  # -- Exclude usernames
+  excludeUsernames: []
+    # - '!system:kube-scheduler'
+
+  # -- Exclude roles
+  excludeRoles: []
+
+  # -- Exclude roles
+  excludeClusterRoles: []
+
+  # -- Generate success events.
+  generateSuccessEvents: false
+
   # -- Resource types to be skipped by the Kyverno policy engine.
   # Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list.
   # These are joined together without spaces, run through `tpl`, and the result is set in the config map.
   # @default -- See [values.yaml](values.yaml)
   resourceFilters:
-  - '[Event,*,*]'
-  - '[*,kube-system,*]'
-  - '[*,kube-public,*]'
-  - '[*,kube-node-lease,*]'
-  - '[Node,*,*]'
-  - '[APIService,*,*]'
-  - '[TokenReview,*,*]'
-  - '[SubjectAccessReview,*,*]'
-  - '[SelfSubjectAccessReview,*,*]'
-  - '[Binding,*,*]'
-  - '[ReplicaSet,*,*]'
-  - '[AdmissionReport,*,*]'
-  - '[ClusterAdmissionReport,*,*]'
-  - '[BackgroundScanReport,*,*]'
-  - '[ClusterBackgroundScanReport,*,*]'
-  # exclude resources from the chart
-  - '[ClusterRole,*,{{ template "kyverno.fullname" . }}:*]'
-  - '[ClusterRoleBinding,*,{{ template "kyverno.fullname" . }}:*]'
-  - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceAccountName" . }}]'
-  - '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.configMapName" . }}]'
-  - '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.metricsConfigMapName" . }}]'
-  - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
-  - '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
-  - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
-  - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
-  - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}:*]'
-  - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}:*]'
-  - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
-  - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}]'
-  - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}-metrics]'
-  - '[ServiceMonitor,{{ if .Values.serviceMonitor.namespace }}{{ .Values.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.serviceName" . }}-service-monitor]'
-  - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-test]'
+    - '[Event,*,*]'
+    - '[*/*,kube-system,*]'
+    - '[*/*,kube-public,*]'
+    - '[*/*,kube-node-lease,*]'
+    - '[Node,*,*]'
+    - '[Node/*,*,*]'
+    - '[APIService,*,*]'
+    - '[APIService/*,*,*]'
+    - '[TokenReview,*,*]'
+    - '[SubjectAccessReview,*,*]'
+    - '[SelfSubjectAccessReview,*,*]'
+    - '[Binding,*,*]'
+    - '[Pod/binding,*,*]'
+    - '[ReplicaSet,*,*]'
+    - '[ReplicaSet/*,*,*]'
+    - '[AdmissionReport,*,*]'
+    - '[AdmissionReport/*,*,*]'
+    - '[ClusterAdmissionReport,*,*]'
+    - '[ClusterAdmissionReport/*,*,*]'
+    - '[BackgroundScanReport,*,*]'
+    - '[BackgroundScanReport/*,*,*]'
+    - '[ClusterBackgroundScanReport,*,*]'
+    - '[ClusterBackgroundScanReport/*,*,*]'
+    # exclude resources from the chart
+    - '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}]'
+    - '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:core]'
+    - '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:additional]'
+    - '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}]'
+    - '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:core]'
+    - '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:additional]'
+    - '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}]'
+    - '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:core]'
+    - '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:additional]'
+    - '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}]'
+    - '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:core]'
+    - '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:additional]'
+    - '[ClusterRoleBinding,*,{{ template "kyverno.admission-controller.roleName" . }}]'
+    - '[ClusterRoleBinding,*,{{ template "kyverno.background-controller.roleName" . }}]'
+    - '[ClusterRoleBinding,*,{{ template "kyverno.cleanup-controller.roleName" . }}]'
+    - '[ClusterRoleBinding,*,{{ template "kyverno.reports-controller.roleName" . }}]'
+    - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'
+    - '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'
+    - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]'
+    - '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]'
+    - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]'
+    - '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]'
+    - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]'
+    - '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]'
+    - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]'
+    - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]'
+    - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]'
+    - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]'
+    - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]'
+    - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]'
+    - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]'
+    - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]'
+    - '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.configMapName" . }}]'
+    - '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.metricsConfigMapName" . }}]'
+    - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
+    - '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
+    - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
+    - '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
+    - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
+    - '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
+    - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
+    - '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
+    - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]'
+    - '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]'
+    - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]'
+    - '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]'
+    - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]'
+    - '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]'
+    - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]'
+    - '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]'
+    - '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
+    - '[Job/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
+    - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
+    - '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
+    - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
+    - '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
+    - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
+    - '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
+    - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
+    - '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
+    - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
+    - '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
+    - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
+    - '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
+    - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
+    - '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
+    - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
+    - '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
+    - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
+    - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
+    - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
+    - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
+    - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]'
+    - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]'
+    - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
+    - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
+    - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]'
+    - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]'
+    - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]'
+    - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]'
+    - '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.admission-controller.name" . }}]'
+    - '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.background-controller.name" . }}]'
+    - '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.cleanup-controller.name" . }}]'
+    - '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.reports-controller.name" . }}]'
+    - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
+    - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
 
-  # -- Name of an existing config map (ignores default/provided resourceFilters)
-  existingConfig: ''
-  # -- Additional annotations to add to the configmap
-  annotations: {}
-    # example.com/annotation: foo
-  # -- Exclude group role
-  excludeGroupRole:
-  # - ''
-  # -- Exclude username
-  excludeUsername:
-  # - ''
   # -- Defines the `namespaceSelector` in the webhook configurations.
   # Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element
   # will be forwarded to the webhook configurations.
   # The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default)
-  webhooks:
+  webhooks: []
     # Exclude namespaces
     # - namespaceSelector:
     #     matchExpressions:
@@ -373,129 +205,609 @@ config:
     #     - key: webhooks.kyverno.io/exclude
     #       operator: DoesNotExist
 
-  # -- Generate success events.
-  generateSuccessEvents: false
-  # -- Metrics config.
-  metricsConfig:
-    # -- Additional annotations to add to the metricsconfigmap
-    annotations: {}
-      # example.com/annotation: foo
-    namespaces: {
-      "include": [],
-      "exclude": []
-    }
-    # 'namespaces.include': list of namespaces to capture metrics for. Default: metrics being captured for all namespaces except excludeNamespaces.
-    # 'namespaces.exclude': list of namespaces to NOT capture metrics for. Default: []
+  # -- Defines annotations to set on webhook configurations.
+  webhookAnnotations: {}
+    # Example to disable admission enforcer on AKS:
+    # 'admissions.enforcer/disabled': 'true'
 
-    # metricsRefreshInterval: 24h
-    # rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics
+  # -- Exclude Kyverno namespace
+  # Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters
+  excludeKyvernoNamespace: true
 
-  # Or provide an existing metrics config-map by uncommenting the below line
-  # existingMetricsConfig: sample-metrics-configmap. Refer to the ./templates/metricsconfigmap.yaml for the structure of metrics configmap.
-# -- Deployment update strategy.
-# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
-# @default -- See [values.yaml](values.yaml)
-updateStrategy:
-  rollingUpdate:
-    maxSurge: 1
-    maxUnavailable: 40%
-  type: RollingUpdate
+  # -- resourceFilter namespace exclude
+  # Namespaces to exclude from the default resourceFilters
+  resourceFiltersExcludeNamespaces: []
 
-service:
-  # -- Service port.
-  port: 443
-  # -- Service type.
-  type: ClusterIP
-  # -- Service node port.
-  # Only used if `service.type` is `NodePort`.
-  nodePort:
-  # -- Service annotations.
-  annotations: {}
+# Metrics configuration
+metricsConfig:
 
-# -- Topology spread constraints.
-topologySpreadConstraints: []
-
-metricsService:
-  # -- Create service.
+  # -- Create the configmap.
   create: true
-  # -- Service port.
-  # Kyverno's metrics server will be exposed at this port.
-  port: 8000
-  # -- Service type.
-  type: ClusterIP
-  # -- Service node port.
-  # Only used if `metricsService.type` is `NodePort`.
-  nodePort:
-  # -- Service annotations.
+
+  # -- (string) The configmap name (required if `create` is `false`).
+  name: ~
+
+  # -- Additional annotations to add to the configmap.
   annotations: {}
 
-serviceMonitor:
-  # -- Create a `ServiceMonitor` to collect Prometheus metrics.
-  enabled: false
-  # -- Additional labels
-  additionalLabels:
-    # key: value
-  # -- Override namespace (default is the same as kyverno)
-  namespace:
-  # --  Interval to scrape metrics
-  interval: 30s
-  # -- Timeout if metrics can't be retrieved in given time interval
-  scrapeTimeout: 25s
-  # -- Is TLS required for endpoint
-  secure: false
-  # -- TLS Configuration for endpoint
-  tlsConfig: {}
+  namespaces:
 
-# -- Kyverno requires a certificate key pair and corresponding certificate authority
-# to properly register its webhooks. This can be done in one of 3 ways:
-# 1) Use kube-controller-manager to generate a CA-signed certificate (preferred)
-# 2) Provide your own CA and cert.
-#    In this case, you will need to create a certificate with a specific name and data structure.
-#    As long as you follow the naming scheme, it will be automatically picked up.
-#    kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entries named tls.key and tls.crt)
-#    kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt)
-# 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true
-# If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false
-createSelfSignedCert: false
+    # -- List of namespaces to capture metrics for.
+    include: []
 
-# -- Whether to have Helm install the Kyverno CRDs.
-# If the CRDs are not installed by Helm, they must be added before policies can be created.
-installCRDs: true
+    # -- list of namespaces to NOT capture metrics for.
+    exclude: []
 
-crds:
-  # -- Additional CRDs annotations.
-  annotations: {}
-    # argocd.argoproj.io/sync-options: Replace=true
-    # strategy.spinnaker.io/replace: 'true'
+  # -- (string) Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics
+  metricsRefreshInterval: ~
+    # metricsRefreshInterval: 24h
 
-networkPolicy:
-  # -- When true, use a NetworkPolicy to allow ingress to the webhook
-  # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
-  enabled: false
-  # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
-  ingressFrom: []
+# -- Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument
+imagePullSecrets: {}
+  # regcred:
+  #   registry: foo.example.com
+  #   username: foobar
+  #   password: secret
+  # regcred2:
+  #   registry: bar.example.com
+  #   username: barbaz
+  #   password: secret2
+
+# -- Existing Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument
+existingImagePullSecrets: []
+  # - test-registry
+  # - other-test-registry
+
+# Tests configuration
+test:
+
+  image:
+    # -- (string) Image registry
+    registry: ~
+    # -- Image repository
+    repository: busybox
+    # -- Image tag
+    # Defaults to `latest` if omitted
+    tag: '1.35'
+    # -- (string) Image pull policy
+    # Defaults to image.pullPolicy if omitted
+    pullPolicy: ~
+
+  resources:
+    # -- Pod resource limits
+    limits:
+      cpu: 100m
+      memory: 256Mi
+    # -- Pod resource requests
+    requests:
+      cpu: 10m
+      memory: 64Mi
+
+  # -- Security context for the test containers
+  securityContext:
+    runAsUser: 65534
+    runAsGroup: 65534
+    runAsNonRoot: true
+    privileged: false
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
+
+# -- Additional labels
+customLabels: {}
 
 webhooksCleanup:
   # -- Create a helm pre-delete hook to cleanup webhooks.
-  enable: false
+  enabled: false
   # -- `kubectl` image to run commands for deleting webhooks.
   image: bitnami/kubectl:latest
-
-# -- A writable volume to use for the TUF root initialization.
-tufRootMountPath: /.sigstore
+  # -- Image pull secrets
+  imagePullSecrets: []
 
 grafana:
   # -- Enable grafana dashboard creation.
   enabled: false
-  # -- Namespace to create the grafana dashboard configmap.
+
+  # -- Configmap name template.
+  configMapName: '{{ include "kyverno.fullname" . }}-grafana'
+
+  # -- (string) Namespace to create the grafana dashboard configmap.
   # If not set, it will be created in the same namespace where the chart is deployed.
-  namespace:
+  namespace: ~
+
   # -- Grafana dashboard configmap annotations.
   annotations: {}
 
-cleanupController:
+# Features configuration
+features:
+  admissionReports:
+    # -- Enables the feature
+    enabled: true
+  autoUpdateWebhooks:
+    # -- Enables the feature
+    enabled: true
+  backgroundScan:
+    # -- Enables the feature
+    enabled: true
+    # -- Number of background scan workers
+    backgroundScanWorkers: 2
+    # -- Background scan interval
+    backgroundScanInterval: 1h
+    # -- Skips resource filters in background scan
+    skipResourceFilters: true
+  configMapCaching:
+    # -- Enables the feature
+    enabled: true
+  dumpPayload:
+    # -- Enables the feature
+    enabled: false
+  forceFailurePolicyIgnore:
+    # -- Enables the feature
+    enabled: false
+  logging:
+    # -- Logging format
+    format: text
+    # -- Logging verbosity
+    verbosity: 2
+  omitEvents:
+    # -- Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`)
+    eventTypes: []
+      # - PolicyViolation
+      # - PolicyApplied
+      # - PolicyError
+      # - PolicySkipped
+  policyExceptions:
+    # -- Enables the feature
+    enabled: false
+    # -- Restrict policy exceptions to a single namespace
+    namespace: ''
+  protectManagedResources:
+    # -- Enables the feature
+    enabled: false
+  registryClient:
+    # -- Allow insecure registry
+    allowInsecure: false
+    # -- Enable registry client helpers
+    credentialHelpers:
+    - default
+    - google
+    - amazon
+    - azure
+    - github
+  reports:
+    # -- Reports chunk size
+    chunkSize: 1000
 
-  # -- Enable cleanup controller.
+# Cleanup cronjobs to prevent internal resources from stacking up in the cluster
+cleanupJobs:
+
+  admissionReports:
+
+    # -- Enable cleanup cronjob
+    enabled: true
+
+    image:
+      # -- (string) Image registry
+      registry: ~
+      # -- Image repository
+      repository: bitnami/kubectl
+      # -- Image tag
+      # Defaults to `latest` if omitted
+      tag: '1.26.4'
+      # -- (string) Image pull policy
+      # Defaults to image.pullPolicy if omitted
+      pullPolicy: ~
+
+    # -- Cronjob schedule
+    schedule: '*/10 * * * *'
+
+    # -- Reports threshold, if number of reports are above this value the cronjob will start deleting them
+    threshold: 10000
+
+    # -- Cronjob history
+    history:
+      success: 1
+      failure: 1
+
+    # -- Security context for the pod
+    podSecurityContext: {}
+
+    # -- Security context for the containers
+    securityContext:
+      runAsNonRoot: true
+      privileged: false
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
+      capabilities:
+        drop:
+          - ALL
+      seccompProfile:
+        type: RuntimeDefault
+
+  clusterAdmissionReports:
+
+    # -- Enable cleanup cronjob
+    enabled: true
+
+    image:
+      # -- (string) Image registry
+      registry: ~
+      # -- Image repository
+      repository: bitnami/kubectl
+      # -- Image tag
+      # Defaults to `latest` if omitted
+      tag: '1.26.4'
+      # -- (string) Image pull policy
+      # Defaults to image.pullPolicy if omitted
+      pullPolicy: ~
+
+    # -- Cronjob schedule
+    schedule: '*/10 * * * *'
+
+    # -- Reports threshold, if number of reports are above this value the cronjob will start deleting them
+    threshold: 10000
+
+    # -- Cronjob history
+    history:
+      success: 1
+      failure: 1
+
+    # -- Security context for the pod
+    podSecurityContext: {}
+
+    # -- Security context for the containers
+    securityContext:
+      runAsNonRoot: true
+      privileged: false
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
+      capabilities:
+        drop:
+          - ALL
+      seccompProfile:
+        type: RuntimeDefault
+
+# Admission controller configuration
+admissionController:
+
+  # -- Overrides features defined at the root level
+  featuresOverride: {}
+
+  rbac:
+    # -- Create RBAC resources
+    create: true
+
+    serviceAccount:
+      # -- The ServiceAccount name
+      name:
+
+      # -- Annotations for the ServiceAccount
+      annotations: {}
+        # example.com/annotation: value
+
+    clusterRole:
+      # -- Extra resource permissions to add in the cluster role
+      extraResources: []
+      # - apiGroups:
+      #     - ''
+      #   resources:
+      #     - pods
+      #   verbs:
+      #     - create
+      #     - update
+      #     - delete
+
+  # -- Create self-signed certificates at deployment time.
+  # The certificates won't be automatically renewed if this is set to `true`.
+  createSelfSignedCert: false
+
+  # -- (int) Desired number of pods
+  replicas: ~
+
+  # -- Additional labels to add to each pod
+  podLabels: {}
+    # example.com/label: foo
+
+  # -- Additional annotations to add to each pod
+  podAnnotations: {}
+    # example.com/annotation: foo
+
+  # -- Deployment update strategy.
+  # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+  # @default -- See [values.yaml](values.yaml)
+  updateStrategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 40%
+    type: RollingUpdate
+
+  # -- Optional priority class
+  priorityClassName: ''
+
+  # -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
+  # Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
+  # Update the `dnsPolicy` accordingly as well to suit the host network mode.
+  hostNetwork: false
+
+  # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
+  # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
+  # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
+  dnsPolicy: ClusterFirst
+
+  # -- Startup probe.
+  # The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want.
+  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
+  # @default -- See [values.yaml](values.yaml)
+  startupProbe:
+    httpGet:
+      path: /health/liveness
+      port: 9443
+      scheme: HTTPS
+    failureThreshold: 20
+    initialDelaySeconds: 2
+    periodSeconds: 6
+
+  # -- Liveness probe.
+  # The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
+  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
+  # @default -- See [values.yaml](values.yaml)
+  livenessProbe:
+    httpGet:
+      path: /health/liveness
+      port: 9443
+      scheme: HTTPS
+    initialDelaySeconds: 15
+    periodSeconds: 30
+    timeoutSeconds: 5
+    failureThreshold: 2
+    successThreshold: 1
+
+  # -- Readiness Probe.
+  # The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.
+  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
+  # @default -- See [values.yaml](values.yaml)
+  readinessProbe:
+    httpGet:
+      path: /health/readiness
+      port: 9443
+      scheme: HTTPS
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 6
+    successThreshold: 1
+
+  # -- Node labels for pod assignment
+  nodeSelector: {}
+
+  # -- List of node taints to tolerate
+  tolerations: []
+
+  antiAffinity:
+    # -- Pod antiAffinities toggle.
+    # Enabled by default but can be disabled if you want to schedule pods to the same node.
+    enabled: true
+
+  # -- Pod anti affinity constraints.
+  # @default -- See [values.yaml](values.yaml)
+  podAntiAffinity:
+    preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 1
+        podAffinityTerm:
+          labelSelector:
+            matchExpressions:
+              - key: app.kubernetes.io/component
+                operator: In
+                values:
+                  - admission-controller
+          topologyKey: kubernetes.io/hostname
+
+  # -- Pod affinity constraints.
+  podAffinity: {}
+
+  # -- Node affinity constraints.
+  nodeAffinity: {}
+
+  # -- Topology spread constraints.
+  topologySpreadConstraints: []
+
+  # -- Security context for the pod
+  podSecurityContext: {}
+
+  podDisruptionBudget:
+    # -- Configures the minimum available pods for disruptions.
+    # Cannot be used if `maxUnavailable` is set.
+    minAvailable: 1
+    # -- Configures the maximum unavailable pods for disruptions.
+    # Cannot be used if `minAvailable` is set.
+    maxUnavailable:
+
+  # -- A writable volume to use for the TUF root initialization.
+  tufRootMountPath: /.sigstore
+
+  # -- Volume to be mounted in pods for TUF/cosign work.
+  sigstoreVolume:
+    emptyDir: {}
+
+  # -- Image pull secrets
+  imagePullSecrets: []
+    # - secretName
+
+  initContainer:
+
+    image:
+      # -- Image registry
+      registry: ghcr.io
+      # -- Image repository
+      repository: kyverno/kyvernopre
+      # -- (string) Image tag
+      # If missing, defaults to image.tag
+      tag: ~
+      # -- (string) Image pull policy
+      # If missing, defaults to image.pullPolicy
+      pullPolicy: ~
+
+    resources:
+      # -- Pod resource limits
+      limits:
+        cpu: 100m
+        memory: 256Mi
+      # -- Pod resource requests
+      requests:
+        cpu: 10m
+        memory: 64Mi
+
+    # -- Container security context
+    securityContext:
+      runAsNonRoot: true
+      privileged: false
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
+      capabilities:
+        drop:
+          - ALL
+      seccompProfile:
+        type: RuntimeDefault
+
+    # -- Additional container args.
+    extraArgs: {}
+
+    # -- Additional container environment variables.
+    extraEnvVars: []
+
+  container:
+
+    image:
+      # -- Image registry
+      registry: ghcr.io
+      # -- Image repository
+      repository: kyverno/kyverno
+      # -- (string) Image tag
+      # Defaults to appVersion in Chart.yaml if omitted
+      tag: ~
+      # -- Image pull policy
+      pullPolicy: IfNotPresent
+
+    resources:
+      # -- Pod resource limits
+      limits:
+        memory: 384Mi
+      # -- Pod resource requests
+      requests:
+        cpu: 100m
+        memory: 128Mi
+
+    # -- Container security context
+    securityContext:
+      runAsNonRoot: true
+      privileged: false
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
+      capabilities:
+        drop:
+          - ALL
+      seccompProfile:
+        type: RuntimeDefault
+
+    # -- Additional container args.
+    extraArgs: {}
+
+    # -- Additional container environment variables.
+    extraEnvVars: []
+
+  # -- Array of extra init containers
+  extraInitContainers: []
+    # - name: init-container
+    #   image: busybox
+    #   command: ['sh', '-c', 'echo Hello']
+
+  # -- Array of extra containers to run alongside kyverno
+  extraContainers: []
+    # - name: myapp-container
+    #   image: busybox
+    #   command: ['sh', '-c', 'echo Hello && sleep 3600']
+
+  service:
+    # -- Service port.
+    port: 443
+    # -- Service type.
+    type: ClusterIP
+    # -- Service node port.
+    # Only used if `type` is `NodePort`.
+    nodePort:
+    # -- Service annotations.
+    annotations: {}
+
+  metricsService:
+    # -- Create service.
+    create: true
+    # -- Service port.
+    # Kyverno's metrics server will be exposed at this port.
+    port: 8000
+    # -- Service type.
+    type: ClusterIP
+    # -- Service node port.
+    # Only used if `type` is `NodePort`.
+    nodePort:
+    # -- Service annotations.
+    annotations: {}
+
+  networkPolicy:
+    # -- When true, use a NetworkPolicy to allow ingress to the webhook
+    # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
+    enabled: false
+    # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
+    ingressFrom: []
+
+  serviceMonitor:
+    # -- Create a `ServiceMonitor` to collect Prometheus metrics.
+    enabled: false
+    # -- Additional labels
+    additionalLabels: {}
+    # -- (string) Override namespace
+    namespace: ~
+    # --  Interval to scrape metrics
+    interval: 30s
+    # -- Timeout if metrics can't be retrieved in given time interval
+    scrapeTimeout: 25s
+    # -- Is TLS required for endpoint
+    secure: false
+    # -- TLS Configuration for endpoint
+    tlsConfig: {}
+
+  tracing:
+    # -- Enable tracing
+    enabled: false
+    # -- Traces receiver address
+    address:
+    # -- Traces receiver port
+    port:
+    # -- Traces receiver credentials
+    creds: ''
+
+  metering:
+    # -- Disable metrics export
+    disabled: false
+    # -- Otel configuration, can be `prometheus` or `grpc`
+    config: prometheus
+    # -- Prometheus endpoint port
+    port: 8000
+    # -- Otel collector endpoint
+    collector: ''
+    # -- Otel collector credentials
+    creds: ''
+
+# Background controller configuration
+backgroundController:
+
+  # -- Overrides features defined at the root level
+  featuresOverride: {}
+
+  # -- Enable background controller.
   enabled: true
 
   rbac:
@@ -506,6 +818,10 @@ cleanupController:
       # -- Service account name
       name:
 
+      # -- Annotations for the ServiceAccount
+      annotations: {}
+        # example.com/annotation: value
+
     clusterRole:
       # -- Extra resource permissions to add in the cluster role
       extraResources: []
@@ -514,30 +830,32 @@ cleanupController:
       #   resources:
       #     - pods
 
-  # -- Create self-signed certificates at deployment time.
-  # The certificates won't be automatically renewed if this is set to `true`.
-  createSelfSignedCert: false
-
   image:
     # -- Image registry
-    registry:
-    # If you want to manage the registry you should remove it from the repository
-    # registry: ghcr.io
-    # repository: kyverno/kyverno
+    registry: ghcr.io
     # -- Image repository
-    repository: ghcr.io/kyverno/cleanup-controller  # kyverno: replaced in e2e tests
+    repository: kyverno/background-controller
     # -- Image tag
     # Defaults to appVersion in Chart.yaml if omitted
     tag:  # replaced in e2e tests
     # -- Image pull policy
     pullPolicy: IfNotPresent
-    # -- Image pull secrets
-    pullSecrets: []
+
+  # -- Image pull secrets
+  imagePullSecrets: []
     # - secretName
 
   # -- (int) Desired number of pods
   replicas: ~
 
+  # -- Additional labels to add to each pod
+  podLabels: {}
+  # example.com/label: foo
+
+  # -- Additional annotations to add to each pod
+  podAnnotations: {}
+  # example.com/annotation: foo
+
   # -- Deployment update strategy.
   # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
   # @default -- See [values.yaml](values.yaml)
@@ -561,7 +879,218 @@ cleanupController:
   dnsPolicy: ClusterFirst
 
   # -- Extra arguments passed to the container on the command line
-  extraArgs: []
+  extraArgs: {}
+
+  resources:
+    # -- Pod resource limits
+    limits:
+      memory: 128Mi
+    # -- Pod resource requests
+    requests:
+      cpu: 100m
+      memory: 64Mi
+
+  # -- Node labels for pod assignment
+  nodeSelector: {}
+
+  # -- List of node taints to tolerate
+  tolerations: []
+
+  antiAffinity:
+    # -- Pod antiAffinities toggle.
+    # Enabled by default but can be disabled if you want to schedule pods to the same node.
+    enabled: true
+
+  # -- Pod anti affinity constraints.
+  # @default -- See [values.yaml](values.yaml)
+  podAntiAffinity:
+    preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 1
+        podAffinityTerm:
+          labelSelector:
+            matchExpressions:
+              - key: app.kubernetes.io/component
+                operator: In
+                values:
+                  - background-controller
+          topologyKey: kubernetes.io/hostname
+
+  # -- Pod affinity constraints.
+  podAffinity: {}
+
+  # -- Node affinity constraints.
+  nodeAffinity: {}
+
+  # -- Topology spread constraints.
+  topologySpreadConstraints: []
+
+  # -- Security context for the pod
+  podSecurityContext: {}
+
+  # -- Security context for the containers
+  securityContext:
+    runAsNonRoot: true
+    privileged: false
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
+
+  podDisruptionBudget:
+    # -- Configures the minimum available pods for disruptions.
+    # Cannot be used if `maxUnavailable` is set.
+    minAvailable: 1
+    # -- Configures the maximum unavailable pods for disruptions.
+    # Cannot be used if `minAvailable` is set.
+    maxUnavailable:
+
+  metricsService:
+    # -- Create service.
+    create: true
+    # -- Service port.
+    # Metrics server will be exposed at this port.
+    port: 8000
+    # -- Service type.
+    type: ClusterIP
+    # -- Service node port.
+    # Only used if `metricsService.type` is `NodePort`.
+    nodePort:
+    # -- Service annotations.
+    annotations: {}
+
+  networkPolicy:
+
+    # -- When true, use a NetworkPolicy to allow ingress to the webhook
+    # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
+    enabled: false
+
+    # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
+    ingressFrom: []
+
+  serviceMonitor:
+    # -- Create a `ServiceMonitor` to collect Prometheus metrics.
+    enabled: false
+    # -- Additional labels
+    additionalLabels: {}
+    # -- (string) Override namespace
+    namespace: ~
+    # --  Interval to scrape metrics
+    interval: 30s
+    # -- Timeout if metrics can't be retrieved in given time interval
+    scrapeTimeout: 25s
+    # -- Is TLS required for endpoint
+    secure: false
+    # -- TLS Configuration for endpoint
+    tlsConfig: {}
+
+  tracing:
+    # -- Enable tracing
+    enabled: false
+    # -- Traces receiver address
+    address:
+    # -- Traces receiver port
+    port:
+    # -- Traces receiver credentials
+    creds: ''
+
+  metering:
+    # -- Disable metrics export
+    disabled: false
+    # -- Otel configuration, can be `prometheus` or `grpc`
+    config: prometheus
+    # -- Prometheus endpoint port
+    port: 8000
+    # -- Otel collector endpoint
+    collector: ''
+    # -- Otel collector credentials
+    creds: ''
+
+# Cleanup controller configuration
+cleanupController:
+
+  # -- Overrides features defined at the root level
+  featuresOverride: {}
+
+  # -- Enable cleanup controller.
+  enabled: true
+
+  rbac:
+    # -- Create RBAC resources
+    create: true
+
+    serviceAccount:
+      # -- Service account name
+      name:
+
+      # -- Annotations for the ServiceAccount
+      annotations: {}
+        # example.com/annotation: value
+
+    clusterRole:
+      # -- Extra resource permissions to add in the cluster role
+      extraResources: []
+      # - apiGroups:
+      #     - ''
+      #   resources:
+      #     - pods
+
+  # -- Create self-signed certificates at deployment time.
+  # The certificates won't be automatically renewed if this is set to `true`.
+  createSelfSignedCert: false
+
+  image:
+    # -- Image registry
+    registry: ghcr.io
+    # -- Image repository
+    repository: kyverno/cleanup-controller
+    # -- (string) Image tag
+    # Defaults to appVersion in Chart.yaml if omitted
+    tag: ~
+    # -- Image pull policy
+    pullPolicy: IfNotPresent
+
+  # -- Image pull secrets
+  imagePullSecrets: []
+    # - secretName
+
+  # -- (int) Desired number of pods
+  replicas: ~
+
+  # -- Additional labels to add to each pod
+  podLabels: {}
+  # example.com/label: foo
+
+  # -- Additional annotations to add to each pod
+  podAnnotations: {}
+  # example.com/annotation: foo
+
+  # -- Deployment update strategy.
+  # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+  # @default -- See [values.yaml](values.yaml)
+  updateStrategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 40%
+    type: RollingUpdate
+
+  # -- Optional priority class
+  priorityClassName: ''
+
+  # -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
+  # Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
+  # Update the `dnsPolicy` accordingly as well to suit the host network mode.
+  hostNetwork: false
+
+  # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
+  # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
+  # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
+  dnsPolicy: ClusterFirst
+
+  # -- Extra arguments passed to the container on the command line
+  extraArgs: {}
 
   resources:
     # -- Pod resource limits
@@ -697,14 +1226,22 @@ cleanupController:
     # -- Service annotations.
     annotations: {}
 
+  networkPolicy:
+
+    # -- When true, use a NetworkPolicy to allow ingress to the webhook
+    # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
+    enabled: false
+
+    # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
+    ingressFrom: []
+
   serviceMonitor:
     # -- Create a `ServiceMonitor` to collect Prometheus metrics.
     enabled: false
     # -- Additional labels
-    additionalLabels:
-      # key: value
-    # -- Override namespace (default is the same as kyverno)
-    namespace:
+    additionalLabels: {}
+    # -- (string) Override namespace
+    namespace: ~
     # --  Interval to scrape metrics
     interval: 30s
     # -- Timeout if metrics can't be retrieved in given time interval
@@ -724,10 +1261,6 @@ cleanupController:
     # -- Traces receiver credentials
     creds: ''
 
-  logging:
-    # -- Logging format
-    format: text
-
   metering:
     # -- Disable metrics export
     disabled: false
@@ -739,3 +1272,217 @@ cleanupController:
     collector: ''
     # -- Otel collector credentials
     creds: ''
+
+# Reports controller configuration
+reportsController:
+
+  # -- Overrides features defined at the root level
+  featuresOverride: {}
+
+  # -- Enable reports controller.
+  enabled: true
+
+  rbac:
+    # -- Create RBAC resources
+    create: true
+
+    serviceAccount:
+      # -- Service account name
+      name:
+
+      # -- Annotations for the ServiceAccount
+      annotations: {}
+        # example.com/annotation: value
+
+    clusterRole:
+      # -- Extra resource permissions to add in the cluster role
+      extraResources: []
+      # - apiGroups:
+      #     - ''
+      #   resources:
+      #     - pods
+
+  image:
+    # -- Image registry
+    registry: ghcr.io
+    # -- Image repository
+    repository: kyverno/reports-controller
+    # -- (string) Image tag
+    # Defaults to appVersion in Chart.yaml if omitted
+    tag: ~
+    # -- Image pull policy
+    pullPolicy: IfNotPresent
+
+  # -- Image pull secrets
+  imagePullSecrets: []
+    # - secretName
+
+  # -- (int) Desired number of pods
+  replicas: ~
+
+  # -- Additional labels to add to each pod
+  podLabels: {}
+  # example.com/label: foo
+
+  # -- Additional annotations to add to each pod
+  podAnnotations: {}
+  # example.com/annotation: foo
+
+  # -- Deployment update strategy.
+  # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+  # @default -- See [values.yaml](values.yaml)
+  updateStrategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 40%
+    type: RollingUpdate
+
+  # -- Optional priority class
+  priorityClassName: ''
+
+  # -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
+  # Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
+  # Update the `dnsPolicy` accordingly as well to suit the host network mode.
+  hostNetwork: false
+
+  # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
+  # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
+  # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
+  dnsPolicy: ClusterFirst
+
+  # -- Extra arguments passed to the container on the command line
+  extraArgs: {}
+
+  resources:
+    # -- Pod resource limits
+    limits:
+      memory: 128Mi
+    # -- Pod resource requests
+    requests:
+      cpu: 100m
+      memory: 64Mi
+
+  # -- Node labels for pod assignment
+  nodeSelector: {}
+
+  # -- List of node taints to tolerate
+  tolerations: []
+
+  antiAffinity:
+    # -- Pod antiAffinities toggle.
+    # Enabled by default but can be disabled if you want to schedule pods to the same node.
+    enabled: true
+
+  # -- Pod anti affinity constraints.
+  # @default -- See [values.yaml](values.yaml)
+  podAntiAffinity:
+    preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 1
+        podAffinityTerm:
+          labelSelector:
+            matchExpressions:
+              - key: app.kubernetes.io/component
+                operator: In
+                values:
+                  - reports-controller
+          topologyKey: kubernetes.io/hostname
+
+  # -- Pod affinity constraints.
+  podAffinity: {}
+
+  # -- Node affinity constraints.
+  nodeAffinity: {}
+
+  # -- Topology spread constraints.
+  topologySpreadConstraints: []
+
+  # -- Security context for the pod
+  podSecurityContext: {}
+
+  # -- Security context for the containers
+  securityContext:
+    runAsNonRoot: true
+    privileged: false
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
+
+  podDisruptionBudget:
+    # -- Configures the minimum available pods for disruptions.
+    # Cannot be used if `maxUnavailable` is set.
+    minAvailable: 1
+    # -- Configures the maximum unavailable pods for disruptions.
+    # Cannot be used if `minAvailable` is set.
+    maxUnavailable:
+
+  # -- A writable volume to use for the TUF root initialization.
+  tufRootMountPath: /.sigstore
+
+  # -- Volume to be mounted in pods for TUF/cosign work.
+  sigstoreVolume:
+    emptyDir: {}
+
+  metricsService:
+    # -- Create service.
+    create: true
+    # -- Service port.
+    # Metrics server will be exposed at this port.
+    port: 8000
+    # -- Service type.
+    type: ClusterIP
+    # -- (string) Service node port.
+    # Only used if `type` is `NodePort`.
+    nodePort: ~
+    # -- Service annotations.
+    annotations: {}
+
+  networkPolicy:
+
+    # -- When true, use a NetworkPolicy to allow ingress to the webhook
+    # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
+    enabled: false
+
+    # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
+    ingressFrom: []
+
+  serviceMonitor:
+    # -- Create a `ServiceMonitor` to collect Prometheus metrics.
+    enabled: false
+    # -- Additional labels
+    additionalLabels: {}
+    # -- (string) Override namespace
+    namespace: ~
+    # -- Interval to scrape metrics
+    interval: 30s
+    # -- Timeout if metrics can't be retrieved in given time interval
+    scrapeTimeout: 25s
+    # -- Is TLS required for endpoint
+    secure: false
+    # -- TLS Configuration for endpoint
+    tlsConfig: {}
+
+  tracing:
+    # -- Enable tracing
+    enabled: false
+    # -- (string) Traces receiver address
+    address: ~
+    # -- (string) Traces receiver port
+    port: ~
+    # -- (string) Traces receiver credentials
+    creds: ~
+
+  metering:
+    # -- Disable metrics export
+    disabled: false
+    # -- Otel configuration, can be `prometheus` or `grpc`
+    config: prometheus
+    # -- Prometheus endpoint port
+    port: 8000
+    # -- (string) Otel collector endpoint
+    collector: ~
+    # -- (string) Otel collector credentials
+    creds: ~