diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/00-upstream/disallow-capabilities/disallow-capabilities.yaml b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/disallow-capabilities/disallow-capabilities.yaml
similarity index 100%
rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/00-upstream/disallow-capabilities/disallow-capabilities.yaml
rename to carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/disallow-capabilities/disallow-capabilities.yaml
diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/00-upstream/disallow-host-namespaces/disallow-host-namespaces.yaml b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/disallow-host-namespaces/disallow-host-namespaces.yaml
similarity index 100%
rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/00-upstream/disallow-host-namespaces/disallow-host-namespaces.yaml
rename to carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/disallow-host-namespaces/disallow-host-namespaces.yaml
diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/00-upstream/disallow-host-path/disallow-host-path.yaml b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/disallow-host-path/disallow-host-path.yaml
similarity index 100%
rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/00-upstream/disallow-host-path/disallow-host-path.yaml
rename to carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/disallow-host-path/disallow-host-path.yaml
diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/00-upstream/disallow-host-ports-range/disallow-host-ports-range.yaml b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/disallow-host-ports-range/disallow-host-ports-range.yaml
similarity index 100%
rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/00-upstream/disallow-host-ports-range/disallow-host-ports-range.yaml
rename to carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/disallow-host-ports-range/disallow-host-ports-range.yaml
diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/00-upstream/disallow-host-ports/disallow-host-ports.yaml b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/disallow-host-ports/disallow-host-ports.yaml
similarity index 100%
rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/00-upstream/disallow-host-ports/disallow-host-ports.yaml
rename to carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/disallow-host-ports/disallow-host-ports.yaml
diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/00-upstream/disallow-host-process/disallow-host-process.yaml b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/disallow-host-process/disallow-host-process.yaml
similarity index 100%
rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/00-upstream/disallow-host-process/disallow-host-process.yaml
rename to carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/disallow-host-process/disallow-host-process.yaml
diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/00-upstream/disallow-privileged-containers/disallow-privileged-containers.yaml b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/disallow-privileged-containers/disallow-privileged-containers.yaml
similarity index 100%
rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/00-upstream/disallow-privileged-containers/disallow-privileged-containers.yaml
rename to carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/disallow-privileged-containers/disallow-privileged-containers.yaml
diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/00-upstream/disallow-proc-mount/disallow-proc-mount.yaml b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/disallow-proc-mount/disallow-proc-mount.yaml
similarity index 100%
rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/00-upstream/disallow-proc-mount/disallow-proc-mount.yaml
rename to carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/disallow-proc-mount/disallow-proc-mount.yaml
diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/00-upstream/disallow-selinux/disallow-selinux.yaml b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/disallow-selinux/disallow-selinux.yaml
similarity index 100%
rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/00-upstream/disallow-selinux/disallow-selinux.yaml
rename to carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/disallow-selinux/disallow-selinux.yaml
diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/00-upstream/restrict-apparmor-profiles/restrict-apparmor-profiles.yaml b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/restrict-apparmor-profiles/restrict-apparmor-profiles.yaml
similarity index 100%
rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/00-upstream/restrict-apparmor-profiles/restrict-apparmor-profiles.yaml
rename to carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/restrict-apparmor-profiles/restrict-apparmor-profiles.yaml
diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/00-upstream/restrict-seccomp/restrict-seccomp.yaml b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/restrict-seccomp/restrict-seccomp.yaml
similarity index 100%
rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/00-upstream/restrict-seccomp/restrict-seccomp.yaml
rename to carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/restrict-seccomp/restrict-seccomp.yaml
diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/00-upstream/restrict-sysctls/restrict-sysctls.yaml b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/restrict-sysctls/restrict-sysctls.yaml
similarity index 100%
rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/00-upstream/restrict-sysctls/restrict-sysctls.yaml
rename to carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream/restrict-sysctls/restrict-sysctls.yaml
diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/99-overlays.yaml b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/overlays.yaml
similarity index 100%
rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/99-overlays.yaml
rename to carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/overlays.yaml
diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/resources.yaml b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/resources.yaml
new file mode 100644
index 00000000..a15d33f4
--- /dev/null
+++ b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/resources.yaml
@@ -0,0 +1,4 @@
+#@ load("@ytt:library", "library")
+#@ load("@ytt:template", "template")
+
+--- #@ template.replace(library.get("upstream").eval())
diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/00-upstream/disallow-capabilities-strict/disallow-capabilities-strict.yaml b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/disallow-capabilities-strict/disallow-capabilities-strict.yaml
similarity index 100%
rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/00-upstream/disallow-capabilities-strict/disallow-capabilities-strict.yaml
rename to carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/disallow-capabilities-strict/disallow-capabilities-strict.yaml
diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/00-upstream/disallow-privilege-escalation/disallow-privilege-escalation.yaml b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/disallow-privilege-escalation/disallow-privilege-escalation.yaml
similarity index 100%
rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/00-upstream/disallow-privilege-escalation/disallow-privilege-escalation.yaml
rename to carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/disallow-privilege-escalation/disallow-privilege-escalation.yaml
diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/00-upstream/require-run-as-non-root-user/require-run-as-non-root-user.yaml b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/require-run-as-non-root-user/require-run-as-non-root-user.yaml
similarity index 100%
rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/00-upstream/require-run-as-non-root-user/require-run-as-non-root-user.yaml
rename to carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/require-run-as-non-root-user/require-run-as-non-root-user.yaml
diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/00-upstream/require-run-as-nonroot/require-run-as-nonroot.yaml b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/require-run-as-nonroot/require-run-as-nonroot.yaml
similarity index 100%
rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/00-upstream/require-run-as-nonroot/require-run-as-nonroot.yaml
rename to carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/require-run-as-nonroot/require-run-as-nonroot.yaml
diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/00-upstream/restrict-seccomp-strict/restrict-seccomp-strict.yaml b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/restrict-seccomp-strict/restrict-seccomp-strict.yaml
similarity index 100%
rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/00-upstream/restrict-seccomp-strict/restrict-seccomp-strict.yaml
rename to carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/restrict-seccomp-strict/restrict-seccomp-strict.yaml
diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/00-upstream/restrict-volume-types/restrict-volume-types.yaml b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/restrict-volume-types/restrict-volume-types.yaml
similarity index 100%
rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/00-upstream/restrict-volume-types/restrict-volume-types.yaml
rename to carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream/restrict-volume-types/restrict-volume-types.yaml
diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/99-overlays.yaml b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/overlays.yaml
similarity index 100%
rename from carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/99-overlays.yaml
rename to carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/overlays.yaml
diff --git a/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/resources.yaml b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/resources.yaml
new file mode 100644
index 00000000..a15d33f4
--- /dev/null
+++ b/carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/resources.yaml
@@ -0,0 +1,4 @@
+#@ load("@ytt:library", "library")
+#@ load("@ytt:template", "template")
+
+--- #@ template.replace(library.get("upstream").eval())
diff --git a/vendir.lock.yml b/vendir.lock.yml
index e0005b2e..90eb5061 100644
--- a/vendir.lock.yml
+++ b/vendir.lock.yml
@@ -1,15 +1,32 @@
 apiVersion: vendir.k14s.io/v1alpha1
 directories:
+- contents:
+  - git:
+      commitTitle: tag v1.6.2 (#3511)...
+      sha: 4b2bf039f6f04cc02cf89dae7e15f8bc17b2ad78
+      tags:
+      - v1.6.2
+    path: .
+  path: carvel-packages/cluster-essentials/bundle/config/_ytt_lib/kyverno/_ytt_lib/upstream
+- contents:
+  - git:
+      commitTitle: Fix next tag to be used when cutting a release on a release branch
+        (#4519)...
+      sha: 0acd27591c1d0245a7eb2b2bf72020e8e295db88
+      tags:
+      - v0.12.1
+    path: .
+  path: carvel-packages/cluster-essentials/bundle/config/_ytt_lib/contour/_ytt_lib/upstream
 - contents:
   - git:
       commitTitle: 'Merge pull request #317 from smcaine/update-check-deprecated-apis...'
       sha: 6abd32f8a03c0f98d8d5e90791e53e00d05a4e3e
     path: .
-  path: carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/00-upstream
+  path: carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream
 - contents:
   - git:
       commitTitle: 'Merge pull request #317 from smcaine/update-check-deprecated-apis...'
       sha: 6abd32f8a03c0f98d8d5e90791e53e00d05a4e3e
     path: .
-  path: carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/00-upstream
+  path: carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream
 kind: LockConfig
diff --git a/vendir.yml b/vendir.yml
index 7bc4f5ec..97b00f9d 100644
--- a/vendir.yml
+++ b/vendir.yml
@@ -25,12 +25,12 @@ directories:
 
       newRootPath: addons/packages/contour/1.20.1/bundle/config
 
-  - path: carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/00-upstream
+  - path: carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-restricted/_ytt_lib/upstream
     contents:
     - path: "."
       git:
         url: https://github.com/kyverno/policies
-        ref: 6abd32f8a03c0f98d8d5e90791e53e00d05a4e3e
+        ref: origin/release-1.7
 
       excludePaths:
       - "**/kustomization.yaml"
@@ -39,12 +39,12 @@ directories:
 
       newRootPath: pod-security/restricted
 
-  - path: carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/00-upstream
+  - path: carvel-packages/training-platform/bundle/config/_ytt_lib/kyverno-baseline/_ytt_lib/upstream
     contents:
     - path: "."
       git:
         url: https://github.com/kyverno/policies
-        ref: 6abd32f8a03c0f98d8d5e90791e53e00d05a4e3e
+        ref: origin/release-1.7
 
       excludePaths:
       - "**/kustomization.yaml"