docs: Update CEL migration guide with ImageValidatingPolicy (IVPOL) m…

[Ansita20]

Migration Details: verifyImages Rule to CEL (IVPOL)

Related Issue

Resolves #1842

---

Proposed Changes

This update enhances the CEL migration guide by adding comprehensive documentation for migrating verifyImages rules from traditional Kyverno policies to CEL-based policies, with a specific focus on IVPOL (Image Verification Policy) migration.

Key Updates

1. Added verifyImages Migration Section

• Introduced a new section in the CEL migration guide explaining how verifyImages rules function in traditional Kyverno policies.
• Documented the conceptual differences between traditional policies and CEL-based policies for image verification.

2. IVPOL Migration Explanation

• Added step-by-step guidance for migrating verifyImages rules to CEL-compatible IVPOL configurations.
• Clarified how image matching, attestors, and verification conditions are expressed using CEL.

3. Before-and-After Examples

• Included real-world examples demonstrating:
  • Traditional Kyverno verifyImages policy.
  • Equivalent CEL-based policy.
• Highlighted key syntax and behavioral differences between the two approaches.

4. Behavioral Notes and Limitations

• Documented important differences in evaluation logic and policy behavior during migration.
• Added warnings and best practices to help users avoid misconfiguration and unintended behavior.

5. Improved Documentation Structure

• Reorganized the CEL migration guide to improve readability and discoverability.
• Removed outdated CEL documentation files and consolidated relevant content into the migration guide.

---

Checklist

• I have read the contributing guidelines.
• I have inspected the website preview for accuracy.
• I have signed off my issue.

[welcome]

Thanks for opening your first Pull Request here! Please check out our Contributing guidelines and confirm that you Signed off.

[Copilot]

Pull request overview

This PR adds comprehensive documentation for migrating verifyImages rules from traditional Kyverno ClusterPolicy to CEL-based ImageValidatingPolicy (IVPOL), resolving issue #1842. The update consolidates and reorganizes CEL migration documentation into a single comprehensive guide.

Changes:

• Added a new migration guide (docs/guides/migration-to-cel.md) with detailed IVPOL migration examples, field mappings, and behavioral differences
• Removed outdated CEL documentation files (troubleshooting, variable reference, old migration docs) to consolidate content
• Updated navigation structure to feature the new migration guide prominently
• Cleaned up policy metadata by removing isNew: true flags from 7 mature policy examples

Reviewed changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
src/content/docs/docs/guides/migration-to-cel.md	New comprehensive migration guide covering validation, mutation, generation, cleanup, and image verification rule migrations to CEL
src/content/docs/docs/troubleshooting/cel-expressions.md	Deleted - content consolidated into migration guide
src/content/docs/docs/migration/traditional-to-cel.md	Deleted - replaced by new migration guide
src/content/docs/docs/migration/index.md	Deleted - no longer needed with new guide location
src/content/docs/docs/cel/variables-reference.md	Deleted - content consolidated
src/content/docs/docs/cel/index.md	Deleted - content consolidated
src/content/docs/docs/guides/troubleshooting.md	Removed reference to deleted CEL expressions troubleshooting section
astro.config.mjs	Updated navigation to add migration guide at top of Guides section
src/content/policies/other-mpol/*.md	Removed isNew: true metadata flag from 7 policy examples (maintenance cleanup)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Typo: "ImageValidaingPolicy" should be "ImageValidatingPolicy" (missing 't')

Suggested change

	- `kubectl explain ivpol.spec` for ImageValidaingPolicy schema
	- `kubectl explain ivpol.spec` for ImageValidatingPolicy schema

[Copilot]

Typo: "orderered" should be "ordered"

Suggested change

	A ClusterPolicy contains an [orderered list of rules](/docs/policy-types/cluster-policy/overview/) and [common settings](/docs/policy-types/cluster-policy/policy-settings/).
	A ClusterPolicy contains an [ordered list of rules](/docs/policy-types/cluster-policy/overview/) and [common settings](/docs/policy-types/cluster-policy/policy-settings/).

[Copilot]

Typo: "imageExtactors" should be "imageExtractors"

Suggested change

	| **spec.rules.imageExtactors** | `variables.expressions` |
	| **spec.rules.imageExtractors** | `variables.expressions` |

[Copilot]

Typo: "innversion" should be "inversion"

Suggested change

	Note the logic innversion when converting a `deny` rule to a CEL expression:
	Note the logic inversion when converting a `deny` rule to a CEL expression:

[Copilot]

The example ValidatingPolicy (lines 144-150) does not match the preceding ClusterPolicy pattern example (lines 133-139). The ClusterPolicy pattern validates that container images should not use the 'latest' tag, but the ValidatingPolicy example checks for 'app' and 'version' labels instead. These should be consistent to show the same validation logic in both formats.

Suggested change

	['app', 'version'].all(label,
	object.metadata.?labels[label].orValue('') != ''
	)
	message: "Pod must have an 'app' and 'version' labels"
	object.spec.containers.all(c, !c.image.endsWith(':latest'))
	message: "Containers must not use images with the 'latest' tag"

[Copilot]

The ValidatingPolicy example uses the old ClusterPolicy syntax with 'validate.cel.expressions' structure. For the new ValidatingPolicy type, this should directly use 'validations' at the spec level, without the nested 'validate.cel' structure.

Suggested change

	validate:
	cel:
	expressions:
	- expression: 'object.spec.replicas <= 10'
	message: 'Replica count cannot exceed 10'
	validations:
	- expression: object.spec.replicas <= 10
	message: 'Replica count cannot exceed 10'