Merge pull request #138356 from dims/update-moby-spdystream-v0.5.1-1.35

[1.35] Update github.com/moby/spdystream from v0.5.0 to v0.5.1 Kubernetes-commit: 93828861e0b554581ba647d48efaba1ff579afa3
Update github.com/moby/spdystream from v0.5.0 to v0.5.1
2026-05-15 11:43:33 +00:00 · 2026-04-14 15:19:54 +00:00 · 2026-04-13 14:14:40 -04:00 · 2026-03-05 00:46:20 +05:30 · 2026-01-23 11:20:40 +01:00 · 2025-12-05 03:34:45 +00:00
1157 changed files with 28988 additions and 6957 deletions
--- a/ARCHITECTURE.md
+++ b/ARCHITECTURE.md
@@ -0,0 +1,162 @@
+# `client-go` Architecture
+
+This document explains the internal architecture of `client-go` for contributors. It describes the
+major components, how they interact, and the key design decisions that shape the library.
+
+## Client Configuration
+
+There is an architectural separation between loading client configuration and using it. The
+`rest.Config` object is the in-memory representation of this configuration. The
+`tools/clientcmd` package is the standard factory for producing it. `clientcmd` handles the
+complex logic of parsing `kubeconfig` files, merging contexts, and handling external
+authentication providers (e.g., OIDC).
+
+## REST Client
+
+The `rest.Client` is the foundational HTTP client that underpins all other clients. It separates
+the low-level concerns of HTTP transport, serialization, and error handling from higher-level,
+Kubernetes-specific object logic.
+
+The `rest.Config` object is used to build the underlying HTTP transport, which is typically a
+chain of `http.RoundTripper` objects. Each element in the chain is responsible for a specific
+task, such as adding an `Authorization` header. This is the mechanism by which all authentication
+is injected into requests.
+
+The client uses a builder pattern for requests (e.g., `.Verb()`, `.Resource()`), deferring
+response processing until a method like `.Into(&pod)` is called. This separation is key to
+supporting different client models from a common base.
+
+### Endpoint Interactions
+
+*   **Content Negotiation:** The client uses HTTP `Accept` headers to negotiate the wire format
+    (JSON or Protobuf). A key performance optimization using this mechanism is the ability to
+    request metadata-only objects via the `as=PartialObjectMetadata;g=meta.k8s.io;v=v1` Accept custom parameter.
+    Also the `as=Table;g=meta.k8s.io;v=v1` Accept custom parameters may be used to request lists as tables. 
+*   **Subresources:** The client can target standard subresources like `/status` or `/scale` for
+    object mutations, and it can also handle action-oriented subresources like `/logs` or
+    `/exec`, which often involve streaming data.
+*   **List Pagination:** For `LIST` requests, the client can specify a `limit`. The server will
+    return up to that many items and, if more exist, a `continue` token. The client is
+    responsible for passing this token in a subsequent request to retrieve the next page.
+    Higher-level tools like the `Reflector`'s `ListerWatcher` handle this logic automatically.
+*   **Streaming Watches:** A `WATCH` request returns a `watch.Interface` (from
+    `k8s.io/apimachinery/pkg/watch`), which provides a channel of structured `watch.Event`
+    objects (`ADDED`, `MODIFIED`, `DELETED`, `BOOKMARK`). This decouples the watch consumer from
+    the underlying streaming protocol.
+
+### Errors, Warnings, and Rate Limiting
+
+*   **Structured Errors:** The client deserializes non-2xx responses into a structured
+    `errors.StatusError`, enabling programmatic error handling (e.g., `errors.IsNotFound(err)`).
+*   **Warnings:** It processes non-fatal `Warning` headers from the API server via a
+    `WarningHandler`.
+*   **Client-Side Rate Limiting:** The `QPS` and `Burst` settings in `rest.Config` are the
+    client's half of the contract with the server's API Priority and Fairness system.
+*   **Server-Side Throttling:** The client's default transport automatically handles HTTP `429`
+    responses by reading the `Retry-After` header, waiting, and retrying the request.
+
+## Typed and Dynamic Clients
+
+To handle the extensible nature of the Kubernetes API, `client-go` provides two primary client
+models.
+
+The **`kubernetes.Clientset`** provides compile-time, type-safe access to core, built-in APIs.
+
+The **`dynamic.DynamicClient`** represents all objects as `unstructured.Unstructured`, allowing it
+to interact with any API resource, including CRDs. It relies on two discovery mechanisms:
+1.  The **`discovery.DiscoveryClient`** determines *what* resources exist. The
+    **`CachedDiscoveryClient`** is an optimization that caches this data on disk to solve.
+2.  The **OpenAPI schema** (fetched from `/openapi/v3`) describes the *structure* of those
+    resources, providing the schema awareness needed by the dynamic client.
+
+## Code Generation
+
+A core architectural principle of `client-go` is the use of code generation to provide a
+strongly-typed, compile-time-safe interface for specific API GroupVersions. This makes
+controller code more robust and easier to maintain. The tools in `k8s.io/code-generator` produce
+several key components:
+
+*   **Typed Clientsets:** The primary interface for interacting with a specific GroupVersion.
+*   **Typed Listers:** The read-only, cached accessors used by controllers.
+*   **Typed Informers:** The machinery for populating the cache for a specific type.
+*   **Apply Configurations:** The type-safe builders for Server-Side Apply.
+
+A contributor modifying a built-in API type **must** run the code generation scripts to update all
+of these dependent components. For the Kubernetes project, `hack/update-codegen.sh` runs code generation.
+
+`sample-controller` shows how code generate can be configured to build custom controllers.
+
+## Controller Infrastructure
+
+The `tools/cache` package provides the core infrastructure for controllers, replacing a high-load,
+request-based pattern with a low-load, event-driven, cached model.
+
+The data flow is as follows:
+
+```mermaid
+graph TD
+    subgraph "Kubernetes API"
+        API_Server[API Server]
+    end
+
+    subgraph "client-go: Informer Mechanism"
+        Reflector("1. Reflector")
+        DeltaFIFO("2. DeltaFIFO")
+        Indexer["3. Indexer (Cache)"]
+        EventHandlers("4. Event Handlers")
+    end
+
+    subgraph "User Code"
+        WorkQueue["5. Work Queue"]
+        Controller("6. Controller")
+    end
+
+    API_Server -- LIST/WATCH --> Reflector
+    Reflector -- Puts changes into --> DeltaFIFO
+    DeltaFIFO -- Is popped by internal loop, which updates --> Indexer
+    Indexer -- Update triggers --> EventHandlers
+    EventHandlers -- Adds key to --> WorkQueue
+    WorkQueue -- Is processed by --> Controller
+    Controller -- Reads from cache via Lister --> Indexer
+```
+
+A **`Reflector`** performs a `LIST` to get a consistent snapshot of a resource, identified by a
+`resourceVersion`. It then starts a `WATCH` from that `resourceVersion` to receive a continuous
+stream of subsequent changes. The `Reflector`'s relist/rewatch loop is designed to solve the
+**"too old" `resourceVersion` error** by re-listing. To make this recovery more efficient, the
+`Reflector` consumes **watch bookmarks** from the server, which provide a more recent
+`resourceVersion` to restart from.
+
+The **`Lister`** is the primary, read-only, thread-safe interface for a controller's business
+logic to access the `Indexer`'s cache.
+
+## Controller Patterns
+
+The controller infrastructure is architecturally decoupled from the controller's business logic to
+ensure resiliency.
+
+The **`util/workqueue`** creates a critical boundary between event detection (the informer's job)
+and reconciliation (the controller's job). Informer event handlers only add an object's key to the
+work queue. This allows the controller to retry failed operations with exponential backoff without
+blocking the informer's watch stream.
+
+For high availability, the **`tools/leaderelection`** package provides the standard architectural
+solution to ensure single-writer semantics by having replicas compete to acquire a lock on a
+shared `Lease` object.
+
+## Server-Side Apply
+
+`client-go` provides a distinct architectural pattern for object mutation that aligns with the
+server's declarative model. This is a separate workflow from the traditional `get-modify-update`
+model that allows multiple controllers to safely co-manage the same object. The
+**`applyconfigurations`** package provides the generated, type-safe builder API used to
+construct the declarative patch.
+
+## Versioning and Compatibility
+
+`client-go` has a strict versioning relationship with the main Kubernetes repository. A `client-go`
+version `v0.X.Y` corresponds to the Kubernetes version `v1.X.Y`.
+
+The Kubernetes API has strong backward compatibility guarantees: a client built with an older
+version of `client-go` will work with a newer API server. However, the reverse is not guaranteed.
+A contributor must not break compatibility with supported versions of the Kubernetes API server.
--- a/1
+++ b/1
@@ -21,6 +21,7 @@ reviewers:
  - sttts
  - yliaog
  - jpbetz
+  - jefftree
 labels:
  - sig/api-machinery
 emeritus_approvers:
--- a/README.md
+++ b/README.md
@@ -1,3 +1,8 @@
+> ⚠️ **This is an automatically published [staged repository](https://git.k8s.io/kubernetes/staging#external-repository-staging-area) for Kubernetes**.   
+> Contributions, including issues and pull requests, should be made to the main Kubernetes repository: [https://github.com/kubernetes/kubernetes](https://github.com/kubernetes/kubernetes).  
+> This repository is read-only for importing, and not used for direct contributions.  
+> See [CONTRIBUTING.md](./CONTRIBUTING.md) for more details.
+
 # client-go

 Go clients for talking to a [kubernetes](http://kubernetes.io/) cluster.
@@ -75,14 +80,14 @@ We will backport bugfixes--but not new features--into older versions of

 #### Compatibility matrix

-|                               | Kubernetes 1.27 | Kubernetes 1.28 | Kubernetes 1.29 | Kubernetes 1.30 | Kubernetes 1.31 | Kubernetes 1.32 |
+|                               | Kubernetes 1.29 | Kubernetes 1.30 | Kubernetes 1.31 | Kubernetes 1.32 | Kubernetes 1.33 | Kubernetes 1.34 |
 | ----------------------------- | --------------- | --------------- | --------------- | --------------- | --------------- | --------------- |
-| `kubernetes-1.27.0`/`v0.27.0` | ✓               | +-              | +-              | +-              | +-              | +-              |
-| `kubernetes-1.28.0`/`v0.28.0` | +-              | ✓               | +-              | +-              | +-              | +-              |
-| `kubernetes-1.29.0`/`v0.29.0` | +-              | +-              | ✓               | +-              | +-              | +-              |
-| `kubernetes-1.30.0`/`v0.30.0` | +-              | +-              | +-              | ✓               | +-              | +-              |
-| `kubernetes-1.31.0`/`v0.31.0` | +-              | +-              | +-              | +-              | ✓               | +-              |
-| `kubernetes-1.32.0`/`v0.32.0` | +-              | +-              | +-              | +-              | +-              | ✓               |
+| `kubernetes-1.29.0`/`v0.29.0` | ✓               | +-              | +-              | +-              | +-              | +-              |
+| `kubernetes-1.30.0`/`v0.30.0` | +-              | ✓               | +-              | +-              | +-              | +-              |
+| `kubernetes-1.31.0`/`v0.31.0` | +-              | +-              | ✓               | +-              | +-              | +-              |
+| `kubernetes-1.32.0`/`v0.32.0` | +-              | +-              | +-              | ✓               | +-              | +-              |
+| `kubernetes-1.33.0`/`v0.33.0` | +-              | +-              | +-              | +-              | ✓               | +-              |
+| `kubernetes-1.34.0`/`v0.34.0` | +-              | +-              | +-              | +-              | +-              | ✓               |
 | `HEAD`                        | +-              | +-              | +-              | +-              | +-              | +-              |

 Key:
@@ -104,16 +109,16 @@ between client-go versions.

 | Branch         | Canonical source code location      | Maintenance status |
 | -------------- | ----------------------------------- | ------------------ |
-| `release-1.23` | Kubernetes main repo, 1.23 branch   | =-                 |
-| `release-1.24` | Kubernetes main repo, 1.24 branch   | =-                 |
 | `release-1.25` | Kubernetes main repo, 1.25 branch   | =-                 |
 | `release-1.26` | Kubernetes main repo, 1.26 branch   | =-                 |
 | `release-1.27` | Kubernetes main repo, 1.27 branch   | =-                 |
 | `release-1.28` | Kubernetes main repo, 1.28 branch   | =-                 |
-| `release-1.29` | Kubernetes main repo, 1.29 branch   | ✓                  |
-| `release-1.30` | Kubernetes main repo, 1.30 branch   | ✓                  |
-| `release-1.31` | Kubernetes main repo, 1.31 branch   | ✓                  |
+| `release-1.29` | Kubernetes main repo, 1.29 branch   | =-                 |
+| `release-1.30` | Kubernetes main repo, 1.30 branch   | =-                 |
+| `release-1.31` | Kubernetes main repo, 1.31 branch   | =                  |
 | `release-1.32` | Kubernetes main repo, 1.32 branch   | ✓                  |
+| `release-1.33` | Kubernetes main repo, 1.33 branch   | ✓                  |
+| `release-1.34` | Kubernetes main repo, 1.34 branch   | ✓                  |
 | client-go HEAD | Kubernetes main repo, master branch | ✓                  |

 Key:
--- a/applyconfigurations/admissionregistration/v1/auditannotation.go
+++ b/applyconfigurations/admissionregistration/v1/auditannotation.go
@@ -20,8 +20,40 @@ package v1

 // AuditAnnotationApplyConfiguration represents a declarative configuration of the AuditAnnotation type for use
 // with apply.
+//
+// AuditAnnotation describes how to produce an audit annotation for an API request.
 type AuditAnnotationApplyConfiguration struct {
-	Key             *string `json:"key,omitempty"`
+	// key specifies the audit annotation key. The audit annotation keys of
+	// a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+	// name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+	//
+	// The key is combined with the resource name of the
+	// ValidatingAdmissionPolicy to construct an audit annotation key:
+	// "{ValidatingAdmissionPolicy name}/{key}".
+	//
+	// If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+	// and the same audit annotation key, the annotation key will be identical.
+	// In this case, the first annotation written with the key will be included
+	// in the audit event and all subsequent annotations with the same key
+	// will be discarded.
+	//
+	// Required.
+	Key *string `json:"key,omitempty"`
+	// valueExpression represents the expression which is evaluated by CEL to
+	// produce an audit annotation value. The expression must evaluate to either
+	// a string or null value. If the expression evaluates to a string, the
+	// audit annotation is included with the string value. If the expression
+	// evaluates to null or empty string the audit annotation will be omitted.
+	// The valueExpression may be no longer than 5kb in length.
+	// If the result of the valueExpression is more than 10kb in length, it
+	// will be truncated to 10kb.
+	//
+	// If multiple ValidatingAdmissionPolicyBinding resources match an
+	// API request, then the valueExpression will be evaluated for
+	// each binding. All unique values produced by the valueExpressions
+	// will be joined together in a comma-separated list.
+	//
+	// Required.
 	ValueExpression *string `json:"valueExpression,omitempty"`
 }

--- a/applyconfigurations/admissionregistration/v1/expressionwarning.go
+++ b/applyconfigurations/admissionregistration/v1/expressionwarning.go
@@ -20,9 +20,17 @@ package v1

 // ExpressionWarningApplyConfiguration represents a declarative configuration of the ExpressionWarning type for use
 // with apply.
+//
+// ExpressionWarning is a warning information that targets a specific expression.
 type ExpressionWarningApplyConfiguration struct {
+	// The path to the field that refers the expression.
+	// For example, the reference to the expression of the first item of
+	// validations is "spec.validations[0].expression"
 	FieldRef *string `json:"fieldRef,omitempty"`
-	Warning  *string `json:"warning,omitempty"`
+	// The content of type checking information in a human-readable form.
+	// Each line of the warning contains the type that the expression is checked
+	// against, followed by the type check error from the compiler.
+	Warning *string `json:"warning,omitempty"`
 }

 // ExpressionWarningApplyConfiguration constructs a declarative configuration of the ExpressionWarning type for use with
--- a/applyconfigurations/admissionregistration/v1/matchcondition.go
+++ b/applyconfigurations/admissionregistration/v1/matchcondition.go
@@ -20,8 +20,32 @@ package v1

 // MatchConditionApplyConfiguration represents a declarative configuration of the MatchCondition type for use
 // with apply.
+//
+// MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.
 type MatchConditionApplyConfiguration struct {
-	Name       *string `json:"name,omitempty"`
+	// Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+	// as well as providing an identifier for logging purposes. A good name should be descriptive of
+	// the associated expression.
+	// Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+	// must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+	// '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+	// optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+	//
+	// Required.
+	Name *string `json:"name,omitempty"`
+	// Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+	// CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+	//
+	// 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// 'oldObject' - The existing object. The value is null for CREATE requests.
+	// 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+	// 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+	//
+	// Required.
 	Expression *string `json:"expression,omitempty"`
 }

--- a/applyconfigurations/admissionregistration/v1/matchresources.go
+++ b/applyconfigurations/admissionregistration/v1/matchresources.go
@@ -25,12 +25,88 @@ import (

 // MatchResourcesApplyConfiguration represents a declarative configuration of the MatchResources type for use
 // with apply.
+//
+// MatchResources decides whether to run the admission control policy on an object based
+// on whether it meets the match criteria.
+// The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
 type MatchResourcesApplyConfiguration struct {
-	NamespaceSelector    *metav1.LabelSelectorApplyConfiguration     `json:"namespaceSelector,omitempty"`
-	ObjectSelector       *metav1.LabelSelectorApplyConfiguration     `json:"objectSelector,omitempty"`
-	ResourceRules        []NamedRuleWithOperationsApplyConfiguration `json:"resourceRules,omitempty"`
+	// NamespaceSelector decides whether to run the admission control policy on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the policy.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "runlevel",
+	// "operator": "NotIn",
+	// "values": [
+	// "0",
+	// "1"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// If instead you want to only run the policy on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "environment",
+	// "operator": "In",
+	// "values": [
+	// "prod",
+	// "staging"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	NamespaceSelector *metav1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
+	// ObjectSelector decides whether to run the validation based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the cel validation, and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	ObjectSelector *metav1.LabelSelectorApplyConfiguration `json:"objectSelector,omitempty"`
+	// ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.
+	// The policy cares about an operation if it matches _any_ Rule.
+	ResourceRules []NamedRuleWithOperationsApplyConfiguration `json:"resourceRules,omitempty"`
+	// ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.
+	// The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
 	ExcludeResourceRules []NamedRuleWithOperationsApplyConfiguration `json:"excludeResourceRules,omitempty"`
-	MatchPolicy          *admissionregistrationv1.MatchPolicyType    `json:"matchPolicy,omitempty"`
+	// matchPolicy defines how the "MatchResources" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.
+	//
+	// Defaults to "Equivalent"
+	MatchPolicy *admissionregistrationv1.MatchPolicyType `json:"matchPolicy,omitempty"`
 }

 // MatchResourcesApplyConfiguration constructs a declarative configuration of the MatchResources type for use with
--- a/applyconfigurations/admissionregistration/v1/mutatingwebhook.go
+++ b/applyconfigurations/admissionregistration/v1/mutatingwebhook.go
@@ -25,19 +25,148 @@ import (

 // MutatingWebhookApplyConfiguration represents a declarative configuration of the MutatingWebhook type for use
 // with apply.
+//
+// MutatingWebhook describes an admission webhook and the resources and operations it applies to.
 type MutatingWebhookApplyConfiguration struct {
-	Name                    *string                                         `json:"name,omitempty"`
-	ClientConfig            *WebhookClientConfigApplyConfiguration          `json:"clientConfig,omitempty"`
-	Rules                   []RuleWithOperationsApplyConfiguration          `json:"rules,omitempty"`
-	FailurePolicy           *admissionregistrationv1.FailurePolicyType      `json:"failurePolicy,omitempty"`
-	MatchPolicy             *admissionregistrationv1.MatchPolicyType        `json:"matchPolicy,omitempty"`
-	NamespaceSelector       *metav1.LabelSelectorApplyConfiguration         `json:"namespaceSelector,omitempty"`
-	ObjectSelector          *metav1.LabelSelectorApplyConfiguration         `json:"objectSelector,omitempty"`
-	SideEffects             *admissionregistrationv1.SideEffectClass        `json:"sideEffects,omitempty"`
-	TimeoutSeconds          *int32                                          `json:"timeoutSeconds,omitempty"`
-	AdmissionReviewVersions []string                                        `json:"admissionReviewVersions,omitempty"`
-	ReinvocationPolicy      *admissionregistrationv1.ReinvocationPolicyType `json:"reinvocationPolicy,omitempty"`
-	MatchConditions         []MatchConditionApplyConfiguration              `json:"matchConditions,omitempty"`
+	// The name of the admission webhook.
+	// Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
+	// "imagepolicy" is the name of the webhook, and kubernetes.io is the name
+	// of the organization.
+	// Required.
+	Name *string `json:"name,omitempty"`
+	// ClientConfig defines how to communicate with the hook.
+	// Required
+	ClientConfig *WebhookClientConfigApplyConfiguration `json:"clientConfig,omitempty"`
+	// Rules describes what operations on what resources/subresources the webhook cares about.
+	// The webhook cares about an operation if it matches _any_ Rule.
+	// However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
+	// from putting the cluster in a state which cannot be recovered from without completely
+	// disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
+	// on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
+	Rules []RuleWithOperationsApplyConfiguration `json:"rules,omitempty"`
+	// FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
+	// allowed values are Ignore or Fail. Defaults to Fail.
+	FailurePolicy *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// matchPolicy defines how the "rules" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
+	//
+	// Defaults to "Equivalent"
+	MatchPolicy *admissionregistrationv1.MatchPolicyType `json:"matchPolicy,omitempty"`
+	// NamespaceSelector decides whether to run the webhook on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the webhook.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "runlevel",
+	// "operator": "NotIn",
+	// "values": [
+	// "0",
+	// "1"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// If instead you want to only run the webhook on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "environment",
+	// "operator": "In",
+	// "values": [
+	// "prod",
+	// "staging"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	NamespaceSelector *metav1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
+	// ObjectSelector decides whether to run the webhook based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the webhook, and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	ObjectSelector *metav1.LabelSelectorApplyConfiguration `json:"objectSelector,omitempty"`
+	// SideEffects states whether this webhook has side effects.
+	// Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
+	// Webhooks with side effects MUST implement a reconciliation system, since a request may be
+	// rejected by a future step in the admission chain and the side effects therefore need to be undone.
+	// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
+	// sideEffects == Unknown or Some.
+	SideEffects *admissionregistrationv1.SideEffectClass `json:"sideEffects,omitempty"`
+	// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
+	// the webhook call will be ignored or the API call will fail based on the
+	// failure policy.
+	// The timeout value must be between 1 and 30 seconds.
+	// Default to 10 seconds.
+	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
+	// AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
+	// versions the Webhook expects. API server will try to use first version in
+	// the list which it supports. If none of the versions specified in this list
+	// supported by API server, validation will fail for this object.
+	// If a persisted webhook configuration specifies allowed versions and does not
+	// include any versions known to the API Server, calls to the webhook will fail
+	// and be subject to the failure policy.
+	AdmissionReviewVersions []string `json:"admissionReviewVersions,omitempty"`
+	// reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation.
+	// Allowed values are "Never" and "IfNeeded".
+	//
+	// Never: the webhook will not be called more than once in a single admission evaluation.
+	//
+	// IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation
+	// if the object being admitted is modified by other admission plugins after the initial webhook call.
+	// Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted.
+	// Note:
+	// * the number of additional invocations is not guaranteed to be exactly one.
+	// * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again.
+	// * webhooks that use this option may be reordered to minimize the number of additional invocations.
+	// * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
+	//
+	// Defaults to "Never".
+	ReinvocationPolicy *admissionregistrationv1.ReinvocationPolicyType `json:"reinvocationPolicy,omitempty"`
+	// MatchConditions is a list of conditions that must be met for a request to be sent to this
+	// webhook. Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the webhook is called.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
 }

 // MutatingWebhookApplyConfiguration constructs a declarative configuration of the MutatingWebhook type for use with
--- a/applyconfigurations/admissionregistration/v1/mutatingwebhookconfiguration.go
+++ b/applyconfigurations/admissionregistration/v1/mutatingwebhookconfiguration.go
@@ -29,10 +29,14 @@ import (

 // MutatingWebhookConfigurationApplyConfiguration represents a declarative configuration of the MutatingWebhookConfiguration type for use
 // with apply.
+//
+// MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object.
 type MutatingWebhookConfigurationApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Webhooks                             []MutatingWebhookApplyConfiguration `json:"webhooks,omitempty"`
+	// Webhooks is a list of webhooks and the affected resources and operations.
+	Webhooks []MutatingWebhookApplyConfiguration `json:"webhooks,omitempty"`
 }

 // MutatingWebhookConfiguration constructs a declarative configuration of the MutatingWebhookConfiguration type for use with
@@ -45,29 +49,14 @@ func MutatingWebhookConfiguration(name string) *MutatingWebhookConfigurationAppl
 	return b
 }

-// ExtractMutatingWebhookConfiguration extracts the applied configuration owned by fieldManager from
-// mutatingWebhookConfiguration. If no managedFields are found in mutatingWebhookConfiguration for fieldManager, a
-// MutatingWebhookConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractMutatingWebhookConfigurationFrom extracts the applied configuration owned by fieldManager from
+// mutatingWebhookConfiguration for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // mutatingWebhookConfiguration must be a unmodified MutatingWebhookConfiguration API object that was retrieved from the Kubernetes API.
-// ExtractMutatingWebhookConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractMutatingWebhookConfigurationFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractMutatingWebhookConfiguration(mutatingWebhookConfiguration *admissionregistrationv1.MutatingWebhookConfiguration, fieldManager string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
-	return extractMutatingWebhookConfiguration(mutatingWebhookConfiguration, fieldManager, "")
-}
-
-// ExtractMutatingWebhookConfigurationStatus is the same as ExtractMutatingWebhookConfiguration except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractMutatingWebhookConfigurationStatus(mutatingWebhookConfiguration *admissionregistrationv1.MutatingWebhookConfiguration, fieldManager string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
-	return extractMutatingWebhookConfiguration(mutatingWebhookConfiguration, fieldManager, "status")
-}
-
-func extractMutatingWebhookConfiguration(mutatingWebhookConfiguration *admissionregistrationv1.MutatingWebhookConfiguration, fieldManager string, subresource string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
+func ExtractMutatingWebhookConfigurationFrom(mutatingWebhookConfiguration *admissionregistrationv1.MutatingWebhookConfiguration, fieldManager string, subresource string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
 	b := &MutatingWebhookConfigurationApplyConfiguration{}
 	err := managedfields.ExtractInto(mutatingWebhookConfiguration, internal.Parser().Type("io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +68,21 @@ func extractMutatingWebhookConfiguration(mutatingWebhookConfiguration *admission
 	b.WithAPIVersion("admissionregistration.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractMutatingWebhookConfiguration extracts the applied configuration owned by fieldManager from
+// mutatingWebhookConfiguration. If no managedFields are found in mutatingWebhookConfiguration for fieldManager, a
+// MutatingWebhookConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// mutatingWebhookConfiguration must be a unmodified MutatingWebhookConfiguration API object that was retrieved from the Kubernetes API.
+// ExtractMutatingWebhookConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractMutatingWebhookConfiguration(mutatingWebhookConfiguration *admissionregistrationv1.MutatingWebhookConfiguration, fieldManager string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
+	return ExtractMutatingWebhookConfigurationFrom(mutatingWebhookConfiguration, fieldManager, "")
+}
+
 func (b MutatingWebhookConfigurationApplyConfiguration) IsApplyConfiguration() {}

 // WithKind sets the Kind field in the declarative configuration to the given value
--- a/applyconfigurations/admissionregistration/v1/namedrulewithoperations.go
+++ b/applyconfigurations/admissionregistration/v1/namedrulewithoperations.go
@@ -24,8 +24,12 @@ import (

 // NamedRuleWithOperationsApplyConfiguration represents a declarative configuration of the NamedRuleWithOperations type for use
 // with apply.
+//
+// NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.
 type NamedRuleWithOperationsApplyConfiguration struct {
-	ResourceNames                        []string `json:"resourceNames,omitempty"`
+	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+	ResourceNames []string `json:"resourceNames,omitempty"`
+	// RuleWithOperations is a tuple of Operations and Resources.
 	RuleWithOperationsApplyConfiguration `json:",inline"`
 }

--- a/applyconfigurations/admissionregistration/v1/paramkind.go
+++ b/applyconfigurations/admissionregistration/v1/paramkind.go
@@ -20,9 +20,16 @@ package v1

 // ParamKindApplyConfiguration represents a declarative configuration of the ParamKind type for use
 // with apply.
+//
+// ParamKind is a tuple of Group Kind and Version.
 type ParamKindApplyConfiguration struct {
+	// APIVersion is the API group version the resources belong to.
+	// In format of "group/version".
+	// Required.
 	APIVersion *string `json:"apiVersion,omitempty"`
-	Kind       *string `json:"kind,omitempty"`
+	// Kind is the API kind the resources belong to.
+	// Required.
+	Kind *string `json:"kind,omitempty"`
 }

 // ParamKindApplyConfiguration constructs a declarative configuration of the ParamKind type for use with
--- a/applyconfigurations/admissionregistration/v1/paramref.go
+++ b/applyconfigurations/admissionregistration/v1/paramref.go
@@ -25,10 +25,53 @@ import (

 // ParamRefApplyConfiguration represents a declarative configuration of the ParamRef type for use
 // with apply.
+//
+// ParamRef describes how to locate the params to be used as input to
+// expressions of rules applied by a policy binding.
 type ParamRefApplyConfiguration struct {
-	Name                    *string                                              `json:"name,omitempty"`
-	Namespace               *string                                              `json:"namespace,omitempty"`
-	Selector                *metav1.LabelSelectorApplyConfiguration              `json:"selector,omitempty"`
+	// name is the name of the resource being referenced.
+	//
+	// One of `name` or `selector` must be set, but `name` and `selector` are
+	// mutually exclusive properties. If one is set, the other must be unset.
+	//
+	// A single parameter used for all admission requests can be configured
+	// by setting the `name` field, leaving `selector` blank, and setting namespace
+	// if `paramKind` is namespace-scoped.
+	Name *string `json:"name,omitempty"`
+	// namespace is the namespace of the referenced resource. Allows limiting
+	// the search for params to a specific namespace. Applies to both `name` and
+	// `selector` fields.
+	//
+	// A per-namespace parameter may be used by specifying a namespace-scoped
+	// `paramKind` in the policy and leaving this field empty.
+	//
+	// - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+	// field results in a configuration error.
+	//
+	// - If `paramKind` is namespace-scoped, the namespace of the object being
+	// evaluated for admission will be used when this field is left unset. Take
+	// care that if this is left empty the binding must not match any cluster-scoped
+	// resources, which will result in an error.
+	Namespace *string `json:"namespace,omitempty"`
+	// selector can be used to match multiple param objects based on their labels.
+	// Supply selector: {} to match all resources of the ParamKind.
+	//
+	// If multiple params are found, they are all evaluated with the policy expressions
+	// and the results are ANDed together.
+	//
+	// One of `name` or `selector` must be set, but `name` and `selector` are
+	// mutually exclusive properties. If one is set, the other must be unset.
+	Selector *metav1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// `parameterNotFoundAction` controls the behavior of the binding when the resource
+	// exists, and name or selector is valid, but there are no parameters
+	// matched by the binding. If the value is set to `Allow`, then no
+	// matched parameters will be treated as successful validation by the binding.
+	// If set to `Deny`, then no matched parameters will be subject to the
+	// `failurePolicy` of the policy.
+	//
+	// Allowed values are `Allow` or `Deny`
+	//
+	// Required
 	ParameterNotFoundAction *admissionregistrationv1.ParameterNotFoundActionType `json:"parameterNotFoundAction,omitempty"`
 }

--- a/applyconfigurations/admissionregistration/v1/rule.go
+++ b/applyconfigurations/admissionregistration/v1/rule.go
@@ -24,11 +24,43 @@ import (

 // RuleApplyConfiguration represents a declarative configuration of the Rule type for use
 // with apply.
+//
+// Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended
+// to make sure that all the tuple expansions are valid.
 type RuleApplyConfiguration struct {
-	APIGroups   []string                           `json:"apiGroups,omitempty"`
-	APIVersions []string                           `json:"apiVersions,omitempty"`
-	Resources   []string                           `json:"resources,omitempty"`
-	Scope       *admissionregistrationv1.ScopeType `json:"scope,omitempty"`
+	// APIGroups is the API groups the resources belong to. '*' is all groups.
+	// If '*' is present, the length of the slice must be one.
+	// Required.
+	APIGroups []string `json:"apiGroups,omitempty"`
+	// APIVersions is the API versions the resources belong to. '*' is all versions.
+	// If '*' is present, the length of the slice must be one.
+	// Required.
+	APIVersions []string `json:"apiVersions,omitempty"`
+	// Resources is a list of resources this rule applies to.
+	//
+	// For example:
+	// 'pods' means pods.
+	// 'pods/log' means the log subresource of pods.
+	// '*' means all resources, but not subresources.
+	// 'pods/*' means all subresources of pods.
+	// '*/scale' means all scale subresources.
+	// '*/*' means all resources and their subresources.
+	//
+	// If wildcard is present, the validation rule will ensure resources do not
+	// overlap with each other.
+	//
+	// Depending on the enclosing object, subresources might not be allowed.
+	// Required.
+	Resources []string `json:"resources,omitempty"`
+	// scope specifies the scope of this rule.
+	// Valid values are "Cluster", "Namespaced", and "*"
+	// "Cluster" means that only cluster-scoped resources will match this rule.
+	// Namespace API objects are cluster-scoped.
+	// "Namespaced" means that only namespaced resources will match this rule.
+	// "*" means that there are no scope restrictions.
+	// Subresources match the scope of their parent resource.
+	// Default is "*".
+	Scope *admissionregistrationv1.ScopeType `json:"scope,omitempty"`
 }

 // RuleApplyConfiguration constructs a declarative configuration of the Rule type for use with
--- a/applyconfigurations/admissionregistration/v1/rulewithoperations.go
+++ b/applyconfigurations/admissionregistration/v1/rulewithoperations.go
@@ -24,8 +24,17 @@ import (

 // RuleWithOperationsApplyConfiguration represents a declarative configuration of the RuleWithOperations type for use
 // with apply.
+//
+// RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
+// sure that all the tuple expansions are valid.
 type RuleWithOperationsApplyConfiguration struct {
-	Operations             []admissionregistrationv1.OperationType `json:"operations,omitempty"`
+	// Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
+	// for all of those operations and any future admission operations that are added.
+	// If '*' is present, the length of the slice must be one.
+	// Required.
+	Operations []admissionregistrationv1.OperationType `json:"operations,omitempty"`
+	// Rule is embedded, it describes other criteria of the rule, like
+	// APIGroups, APIVersions, Resources, etc.
 	RuleApplyConfiguration `json:",inline"`
 }

--- a/applyconfigurations/admissionregistration/v1/servicereference.go
+++ b/applyconfigurations/admissionregistration/v1/servicereference.go
@@ -20,11 +20,22 @@ package v1

 // ServiceReferenceApplyConfiguration represents a declarative configuration of the ServiceReference type for use
 // with apply.
+//
+// ServiceReference holds a reference to Service.legacy.k8s.io
 type ServiceReferenceApplyConfiguration struct {
+	// `namespace` is the namespace of the service.
+	// Required
 	Namespace *string `json:"namespace,omitempty"`
-	Name      *string `json:"name,omitempty"`
-	Path      *string `json:"path,omitempty"`
-	Port      *int32  `json:"port,omitempty"`
+	// `name` is the name of the service.
+	// Required
+	Name *string `json:"name,omitempty"`
+	// `path` is an optional URL path which will be sent in any request to
+	// this service.
+	Path *string `json:"path,omitempty"`
+	// If specified, the port on the service that hosting webhook.
+	// Default to 443 for backward compatibility.
+	// `port` should be a valid port number (1-65535, inclusive).
+	Port *int32 `json:"port,omitempty"`
 }

 // ServiceReferenceApplyConfiguration constructs a declarative configuration of the ServiceReference type for use with
--- a/applyconfigurations/admissionregistration/v1/typechecking.go
+++ b/applyconfigurations/admissionregistration/v1/typechecking.go
@@ -20,7 +20,11 @@ package v1

 // TypeCheckingApplyConfiguration represents a declarative configuration of the TypeChecking type for use
 // with apply.
+//
+// TypeChecking contains results of type checking the expressions in the
+// ValidatingAdmissionPolicy
 type TypeCheckingApplyConfiguration struct {
+	// The type checking warnings for each expression.
 	ExpressionWarnings []ExpressionWarningApplyConfiguration `json:"expressionWarnings,omitempty"`
 }

--- a/applyconfigurations/admissionregistration/v1/validatingadmissionpolicy.go
+++ b/applyconfigurations/admissionregistration/v1/validatingadmissionpolicy.go
@@ -29,11 +29,19 @@ import (

 // ValidatingAdmissionPolicyApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicy type for use
 // with apply.
+//
+// ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.
 type ValidatingAdmissionPolicyApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ValidatingAdmissionPolicySpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *ValidatingAdmissionPolicyStatusApplyConfiguration `json:"status,omitempty"`
+	// Specification of the desired behavior of the ValidatingAdmissionPolicy.
+	Spec *ValidatingAdmissionPolicySpecApplyConfiguration `json:"spec,omitempty"`
+	// The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy
+	// behaves in the expected way.
+	// Populated by the system.
+	// Read-only.
+	Status *ValidatingAdmissionPolicyStatusApplyConfiguration `json:"status,omitempty"`
 }

 // ValidatingAdmissionPolicy constructs a declarative configuration of the ValidatingAdmissionPolicy type for use with
@@ -46,29 +54,14 @@ func ValidatingAdmissionPolicy(name string) *ValidatingAdmissionPolicyApplyConfi
 	return b
 }

-// ExtractValidatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
-// validatingAdmissionPolicy. If no managedFields are found in validatingAdmissionPolicy for fieldManager, a
-// ValidatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractValidatingAdmissionPolicyFrom extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicy for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // validatingAdmissionPolicy must be a unmodified ValidatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
-// ExtractValidatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractValidatingAdmissionPolicyFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregistrationv1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicy(validatingAdmissionPolicy, fieldManager, "")
-}
-
-// ExtractValidatingAdmissionPolicyStatus is the same as ExtractValidatingAdmissionPolicy except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractValidatingAdmissionPolicyStatus(validatingAdmissionPolicy *admissionregistrationv1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicy(validatingAdmissionPolicy, fieldManager, "status")
-}
-
-func extractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregistrationv1.ValidatingAdmissionPolicy, fieldManager string, subresource string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
+func ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy *admissionregistrationv1.ValidatingAdmissionPolicy, fieldManager string, subresource string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
 	b := &ValidatingAdmissionPolicyApplyConfiguration{}
 	err := managedfields.ExtractInto(validatingAdmissionPolicy, internal.Parser().Type("io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy"), fieldManager, b, subresource)
 	if err != nil {
@@ -80,6 +73,27 @@ func extractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregist
 	b.WithAPIVersion("admissionregistration.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractValidatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicy. If no managedFields are found in validatingAdmissionPolicy for fieldManager, a
+// ValidatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// validatingAdmissionPolicy must be a unmodified ValidatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
+// ExtractValidatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregistrationv1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
+	return ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy, fieldManager, "")
+}
+
+// ExtractValidatingAdmissionPolicyStatus extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicy for the status subresource.
+func ExtractValidatingAdmissionPolicyStatus(validatingAdmissionPolicy *admissionregistrationv1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
+	return ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy, fieldManager, "status")
+}
+
 func (b ValidatingAdmissionPolicyApplyConfiguration) IsApplyConfiguration() {}

 // WithKind sets the Kind field in the declarative configuration to the given value
--- a/applyconfigurations/admissionregistration/v1/validatingadmissionpolicybinding.go
+++ b/applyconfigurations/admissionregistration/v1/validatingadmissionpolicybinding.go
@@ -29,10 +29,24 @@ import (

 // ValidatingAdmissionPolicyBindingApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyBinding type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources.
+// ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.
+//
+// For a given admission request, each binding will cause its policy to be
+// evaluated N times, where N is 1 for policies/bindings that don't use
+// params, otherwise N is the number of parameters selected by the binding.
+//
+// The CEL expressions of a policy must have a computed CEL cost below the maximum
+// CEL budget. Each evaluation of the policy is given an independent CEL cost budget.
+// Adding/removing policies, bindings, or params can not affect whether a
+// given (policy, binding, param) combination is within its own CEL budget.
 type ValidatingAdmissionPolicyBindingApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ValidatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
+	// Specification of the desired behavior of the ValidatingAdmissionPolicyBinding.
+	Spec *ValidatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
 }

 // ValidatingAdmissionPolicyBinding constructs a declarative configuration of the ValidatingAdmissionPolicyBinding type for use with
@@ -45,29 +59,14 @@ func ValidatingAdmissionPolicyBinding(name string) *ValidatingAdmissionPolicyBin
 	return b
 }

-// ExtractValidatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
-// validatingAdmissionPolicyBinding. If no managedFields are found in validatingAdmissionPolicyBinding for fieldManager, a
-// ValidatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractValidatingAdmissionPolicyBindingFrom extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicyBinding for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // validatingAdmissionPolicyBinding must be a unmodified ValidatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
-// ExtractValidatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractValidatingAdmissionPolicyBindingFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding, fieldManager, "")
-}
-
-// ExtractValidatingAdmissionPolicyBindingStatus is the same as ExtractValidatingAdmissionPolicyBinding except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractValidatingAdmissionPolicyBindingStatus(validatingAdmissionPolicyBinding *admissionregistrationv1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding, fieldManager, "status")
-}
-
-func extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1.ValidatingAdmissionPolicyBinding, fieldManager string, subresource string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
+func ExtractValidatingAdmissionPolicyBindingFrom(validatingAdmissionPolicyBinding *admissionregistrationv1.ValidatingAdmissionPolicyBinding, fieldManager string, subresource string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
 	b := &ValidatingAdmissionPolicyBindingApplyConfiguration{}
 	err := managedfields.ExtractInto(validatingAdmissionPolicyBinding, internal.Parser().Type("io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBinding"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +78,21 @@ func extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *a
 	b.WithAPIVersion("admissionregistration.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractValidatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicyBinding. If no managedFields are found in validatingAdmissionPolicyBinding for fieldManager, a
+// ValidatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// validatingAdmissionPolicyBinding must be a unmodified ValidatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
+// ExtractValidatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
+	return ExtractValidatingAdmissionPolicyBindingFrom(validatingAdmissionPolicyBinding, fieldManager, "")
+}
+
 func (b ValidatingAdmissionPolicyBindingApplyConfiguration) IsApplyConfiguration() {}

 // WithKind sets the Kind field in the declarative configuration to the given value
--- a/applyconfigurations/admissionregistration/v1/validatingadmissionpolicybindingspec.go
+++ b/applyconfigurations/admissionregistration/v1/validatingadmissionpolicybindingspec.go
@@ -24,10 +24,63 @@ import (

 // ValidatingAdmissionPolicyBindingSpecApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyBindingSpec type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.
 type ValidatingAdmissionPolicyBindingSpecApplyConfiguration struct {
-	PolicyName        *string                                    `json:"policyName,omitempty"`
-	ParamRef          *ParamRefApplyConfiguration                `json:"paramRef,omitempty"`
-	MatchResources    *MatchResourcesApplyConfiguration          `json:"matchResources,omitempty"`
+	// PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to.
+	// If the referenced resource does not exist, this binding is considered invalid and will be ignored
+	// Required.
+	PolicyName *string `json:"policyName,omitempty"`
+	// paramRef specifies the parameter resource used to configure the admission control policy.
+	// It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy.
+	// If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied.
+	// If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.
+	ParamRef *ParamRefApplyConfiguration `json:"paramRef,omitempty"`
+	// MatchResources declares what resources match this binding and will be validated by it.
+	// Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this.
+	// If this is unset, all resources matched by the policy are validated by this binding
+	// When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated.
+	// Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required.
+	MatchResources *MatchResourcesApplyConfiguration `json:"matchResources,omitempty"`
+	// validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced.
+	// If a validation evaluates to false it is always enforced according to these actions.
+	//
+	// Failures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according
+	// to these actions only if the FailurePolicy is set to Fail, otherwise the failures are
+	// ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.
+	//
+	// validationActions is declared as a set of action values. Order does
+	// not matter. validationActions may not contain duplicates of the same action.
+	//
+	// The supported actions values are:
+	//
+	// "Deny" specifies that a validation failure results in a denied request.
+	//
+	// "Warn" specifies that a validation failure is reported to the request client
+	// in HTTP Warning headers, with a warning code of 299. Warnings can be sent
+	// both for allowed or denied admission responses.
+	//
+	// "Audit" specifies that a validation failure is included in the published
+	// audit event for the request. The audit event will contain a
+	// `validation.policy.admission.k8s.io/validation_failure` audit annotation
+	// with a value containing the details of the validation failures, formatted as
+	// a JSON list of objects, each with the following fields:
+	// - message: The validation failure message string
+	// - policy: The resource name of the ValidatingAdmissionPolicy
+	// - binding: The resource name of the ValidatingAdmissionPolicyBinding
+	// - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy
+	// - validationActions: The enforcement actions enacted for the validation failure
+	// Example audit annotation:
+	// `"validation.policy.admission.k8s.io/validation_failure": "[{\"message\": \"Invalid value\", {\"policy\": \"policy.example.com\", {\"binding\": \"policybinding.example.com\", {\"expressionIndex\": \"1\", {\"validationActions\": [\"Audit\"]}]"`
+	//
+	// Clients should expect to handle additional values by ignoring
+	// any values not recognized.
+	//
+	// "Deny" and "Warn" may not be used together since this combination
+	// needlessly duplicates the validation failure both in the
+	// API response body and the HTTP warning headers.
+	//
+	// Required.
 	ValidationActions []admissionregistrationv1.ValidationAction `json:"validationActions,omitempty"`
 }

--- a/applyconfigurations/admissionregistration/v1/validatingadmissionpolicyspec.go
+++ b/applyconfigurations/admissionregistration/v1/validatingadmissionpolicyspec.go
@@ -24,14 +24,66 @@ import (

 // ValidatingAdmissionPolicySpecApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicySpec type for use
 // with apply.
+//
+// ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.
 type ValidatingAdmissionPolicySpecApplyConfiguration struct {
-	ParamKind        *ParamKindApplyConfiguration               `json:"paramKind,omitempty"`
-	MatchConstraints *MatchResourcesApplyConfiguration          `json:"matchConstraints,omitempty"`
-	Validations      []ValidationApplyConfiguration             `json:"validations,omitempty"`
-	FailurePolicy    *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"`
-	AuditAnnotations []AuditAnnotationApplyConfiguration        `json:"auditAnnotations,omitempty"`
-	MatchConditions  []MatchConditionApplyConfiguration         `json:"matchConditions,omitempty"`
-	Variables        []VariableApplyConfiguration               `json:"variables,omitempty"`
+	// ParamKind specifies the kind of resources used to parameterize this policy.
+	// If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
+	// If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
+	// If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.
+	ParamKind *ParamKindApplyConfiguration `json:"paramKind,omitempty"`
+	// MatchConstraints specifies what resources this policy is designed to validate.
+	// The AdmissionPolicy cares about a request if it matches _all_ Constraints.
+	// However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
+	// ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding.
+	// Required.
+	MatchConstraints *MatchResourcesApplyConfiguration `json:"matchConstraints,omitempty"`
+	// Validations contain CEL expressions which is used to apply the validation.
+	// Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is
+	// required.
+	Validations []ValidationApplyConfiguration `json:"validations,omitempty"`
+	// failurePolicy defines how to handle failures for the admission policy. Failures can
+	// occur from CEL expression parse errors, type check errors, runtime errors and invalid
+	// or mis-configured policy definitions or bindings.
+	//
+	// A policy is invalid if spec.paramKind refers to a non-existent Kind.
+	// A binding is invalid if spec.paramRef.name refers to a non-existent resource.
+	//
+	// failurePolicy does not define how validations that evaluate to false are handled.
+	//
+	// When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions
+	// define how failures are enforced.
+	//
+	// Allowed values are Ignore or Fail. Defaults to Fail.
+	FailurePolicy *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// auditAnnotations contains CEL expressions which are used to produce audit
+	// annotations for the audit event of the API request.
+	// validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is
+	// required.
+	AuditAnnotations []AuditAnnotationApplyConfiguration `json:"auditAnnotations,omitempty"`
+	// MatchConditions is a list of conditions that must be met for a request to be validated.
+	// Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// If a parameter object is provided, it can be accessed via the `params` handle in the same
+	// manner as validation expressions.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the policy is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
+	// Variables contain definitions of variables that can be used in composition of other expressions.
+	// Each variable is defined as a named CEL expression.
+	// The variables defined here will be available under `variables` in other expressions of the policy
+	// except MatchConditions because MatchConditions are evaluated before the rest of the policy.
+	//
+	// The expression of a variable can refer to other variables defined earlier in the list but not those after.
+	// Thus, Variables must be sorted by the order of first appearance and acyclic.
+	Variables []VariableApplyConfiguration `json:"variables,omitempty"`
 }

 // ValidatingAdmissionPolicySpecApplyConfiguration constructs a declarative configuration of the ValidatingAdmissionPolicySpec type for use with
--- a/applyconfigurations/admissionregistration/v1/validatingadmissionpolicystatus.go
+++ b/applyconfigurations/admissionregistration/v1/validatingadmissionpolicystatus.go
@@ -24,10 +24,16 @@ import (

 // ValidatingAdmissionPolicyStatusApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyStatus type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyStatus represents the status of an admission validation policy.
 type ValidatingAdmissionPolicyStatusApplyConfiguration struct {
-	ObservedGeneration *int64                               `json:"observedGeneration,omitempty"`
-	TypeChecking       *TypeCheckingApplyConfiguration      `json:"typeChecking,omitempty"`
-	Conditions         []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
+	// The generation observed by the controller.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// The results of type checking for each expression.
+	// Presence of this field indicates the completion of the type checking.
+	TypeChecking *TypeCheckingApplyConfiguration `json:"typeChecking,omitempty"`
+	// The conditions represent the latest available observations of a policy's current state.
+	Conditions []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
 }

 // ValidatingAdmissionPolicyStatusApplyConfiguration constructs a declarative configuration of the ValidatingAdmissionPolicyStatus type for use with
--- a/applyconfigurations/admissionregistration/v1/validatingwebhook.go
+++ b/applyconfigurations/admissionregistration/v1/validatingwebhook.go
@@ -25,18 +25,132 @@ import (

 // ValidatingWebhookApplyConfiguration represents a declarative configuration of the ValidatingWebhook type for use
 // with apply.
+//
+// ValidatingWebhook describes an admission webhook and the resources and operations it applies to.
 type ValidatingWebhookApplyConfiguration struct {
-	Name                    *string                                    `json:"name,omitempty"`
-	ClientConfig            *WebhookClientConfigApplyConfiguration     `json:"clientConfig,omitempty"`
-	Rules                   []RuleWithOperationsApplyConfiguration     `json:"rules,omitempty"`
-	FailurePolicy           *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"`
-	MatchPolicy             *admissionregistrationv1.MatchPolicyType   `json:"matchPolicy,omitempty"`
-	NamespaceSelector       *metav1.LabelSelectorApplyConfiguration    `json:"namespaceSelector,omitempty"`
-	ObjectSelector          *metav1.LabelSelectorApplyConfiguration    `json:"objectSelector,omitempty"`
-	SideEffects             *admissionregistrationv1.SideEffectClass   `json:"sideEffects,omitempty"`
-	TimeoutSeconds          *int32                                     `json:"timeoutSeconds,omitempty"`
-	AdmissionReviewVersions []string                                   `json:"admissionReviewVersions,omitempty"`
-	MatchConditions         []MatchConditionApplyConfiguration         `json:"matchConditions,omitempty"`
+	// The name of the admission webhook.
+	// Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
+	// "imagepolicy" is the name of the webhook, and kubernetes.io is the name
+	// of the organization.
+	// Required.
+	Name *string `json:"name,omitempty"`
+	// ClientConfig defines how to communicate with the hook.
+	// Required
+	ClientConfig *WebhookClientConfigApplyConfiguration `json:"clientConfig,omitempty"`
+	// Rules describes what operations on what resources/subresources the webhook cares about.
+	// The webhook cares about an operation if it matches _any_ Rule.
+	// However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
+	// from putting the cluster in a state which cannot be recovered from without completely
+	// disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
+	// on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
+	Rules []RuleWithOperationsApplyConfiguration `json:"rules,omitempty"`
+	// FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
+	// allowed values are Ignore or Fail. Defaults to Fail.
+	FailurePolicy *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// matchPolicy defines how the "rules" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
+	//
+	// Defaults to "Equivalent"
+	MatchPolicy *admissionregistrationv1.MatchPolicyType `json:"matchPolicy,omitempty"`
+	// NamespaceSelector decides whether to run the webhook on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the webhook.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "runlevel",
+	// "operator": "NotIn",
+	// "values": [
+	// "0",
+	// "1"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// If instead you want to only run the webhook on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "environment",
+	// "operator": "In",
+	// "values": [
+	// "prod",
+	// "staging"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	NamespaceSelector *metav1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
+	// ObjectSelector decides whether to run the webhook based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the webhook, and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	ObjectSelector *metav1.LabelSelectorApplyConfiguration `json:"objectSelector,omitempty"`
+	// SideEffects states whether this webhook has side effects.
+	// Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
+	// Webhooks with side effects MUST implement a reconciliation system, since a request may be
+	// rejected by a future step in the admission chain and the side effects therefore need to be undone.
+	// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
+	// sideEffects == Unknown or Some.
+	SideEffects *admissionregistrationv1.SideEffectClass `json:"sideEffects,omitempty"`
+	// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
+	// the webhook call will be ignored or the API call will fail based on the
+	// failure policy.
+	// The timeout value must be between 1 and 30 seconds.
+	// Default to 10 seconds.
+	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
+	// AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
+	// versions the Webhook expects. API server will try to use first version in
+	// the list which it supports. If none of the versions specified in this list
+	// supported by API server, validation will fail for this object.
+	// If a persisted webhook configuration specifies allowed versions and does not
+	// include any versions known to the API Server, calls to the webhook will fail
+	// and be subject to the failure policy.
+	AdmissionReviewVersions []string `json:"admissionReviewVersions,omitempty"`
+	// MatchConditions is a list of conditions that must be met for a request to be sent to this
+	// webhook. Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the webhook is called.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
 }

 // ValidatingWebhookApplyConfiguration constructs a declarative configuration of the ValidatingWebhook type for use with
--- a/applyconfigurations/admissionregistration/v1/validatingwebhookconfiguration.go
+++ b/applyconfigurations/admissionregistration/v1/validatingwebhookconfiguration.go
@@ -29,10 +29,14 @@ import (

 // ValidatingWebhookConfigurationApplyConfiguration represents a declarative configuration of the ValidatingWebhookConfiguration type for use
 // with apply.
+//
+// ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it.
 type ValidatingWebhookConfigurationApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Webhooks                             []ValidatingWebhookApplyConfiguration `json:"webhooks,omitempty"`
+	// Webhooks is a list of webhooks and the affected resources and operations.
+	Webhooks []ValidatingWebhookApplyConfiguration `json:"webhooks,omitempty"`
 }

 // ValidatingWebhookConfiguration constructs a declarative configuration of the ValidatingWebhookConfiguration type for use with
@@ -45,29 +49,14 @@ func ValidatingWebhookConfiguration(name string) *ValidatingWebhookConfiguration
 	return b
 }

-// ExtractValidatingWebhookConfiguration extracts the applied configuration owned by fieldManager from
-// validatingWebhookConfiguration. If no managedFields are found in validatingWebhookConfiguration for fieldManager, a
-// ValidatingWebhookConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractValidatingWebhookConfigurationFrom extracts the applied configuration owned by fieldManager from
+// validatingWebhookConfiguration for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // validatingWebhookConfiguration must be a unmodified ValidatingWebhookConfiguration API object that was retrieved from the Kubernetes API.
-// ExtractValidatingWebhookConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractValidatingWebhookConfigurationFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractValidatingWebhookConfiguration(validatingWebhookConfiguration *admissionregistrationv1.ValidatingWebhookConfiguration, fieldManager string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
-	return extractValidatingWebhookConfiguration(validatingWebhookConfiguration, fieldManager, "")
-}
-
-// ExtractValidatingWebhookConfigurationStatus is the same as ExtractValidatingWebhookConfiguration except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractValidatingWebhookConfigurationStatus(validatingWebhookConfiguration *admissionregistrationv1.ValidatingWebhookConfiguration, fieldManager string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
-	return extractValidatingWebhookConfiguration(validatingWebhookConfiguration, fieldManager, "status")
-}
-
-func extractValidatingWebhookConfiguration(validatingWebhookConfiguration *admissionregistrationv1.ValidatingWebhookConfiguration, fieldManager string, subresource string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
+func ExtractValidatingWebhookConfigurationFrom(validatingWebhookConfiguration *admissionregistrationv1.ValidatingWebhookConfiguration, fieldManager string, subresource string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
 	b := &ValidatingWebhookConfigurationApplyConfiguration{}
 	err := managedfields.ExtractInto(validatingWebhookConfiguration, internal.Parser().Type("io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +68,21 @@ func extractValidatingWebhookConfiguration(validatingWebhookConfiguration *admis
 	b.WithAPIVersion("admissionregistration.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractValidatingWebhookConfiguration extracts the applied configuration owned by fieldManager from
+// validatingWebhookConfiguration. If no managedFields are found in validatingWebhookConfiguration for fieldManager, a
+// ValidatingWebhookConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// validatingWebhookConfiguration must be a unmodified ValidatingWebhookConfiguration API object that was retrieved from the Kubernetes API.
+// ExtractValidatingWebhookConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractValidatingWebhookConfiguration(validatingWebhookConfiguration *admissionregistrationv1.ValidatingWebhookConfiguration, fieldManager string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
+	return ExtractValidatingWebhookConfigurationFrom(validatingWebhookConfiguration, fieldManager, "")
+}
+
 func (b ValidatingWebhookConfigurationApplyConfiguration) IsApplyConfiguration() {}

 // WithKind sets the Kind field in the declarative configuration to the given value
--- a/applyconfigurations/admissionregistration/v1/validation.go
+++ b/applyconfigurations/admissionregistration/v1/validation.go
@@ -24,11 +24,77 @@ import (

 // ValidationApplyConfiguration represents a declarative configuration of the Validation type for use
 // with apply.
+//
+// Validation specifies the CEL expression which is used to apply the validation.
 type ValidationApplyConfiguration struct {
-	Expression        *string              `json:"expression,omitempty"`
-	Message           *string              `json:"message,omitempty"`
-	Reason            *metav1.StatusReason `json:"reason,omitempty"`
-	MessageExpression *string              `json:"messageExpression,omitempty"`
+	// Expression represents the expression which will be evaluated by CEL.
+	// ref: https://github.com/google/cel-spec
+	// CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:
+	//
+	// - 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// - 'oldObject' - The existing object. The value is null for CREATE requests.
+	// - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
+	// - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
+	// - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
+	// - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
+	// For example, a variable named 'foo' can be accessed as 'variables.foo'.
+	// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	//
+	// The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
+	// object. No other metadata properties are accessible.
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Accessible property names are escaped according to the following rules when accessed in the expression:
+	// - '__' escapes to '__underscores__'
+	// - '.' escapes to '__dot__'
+	// - '-' escapes to '__dash__'
+	// - '/' escapes to '__slash__'
+	// - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:
+	// "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if",
+	// "import", "let", "loop", "package", "namespace", "return".
+	// Examples:
+	// - Expression accessing a property named "namespace": {"Expression": "object.__namespace__ > 0"}
+	// - Expression accessing a property named "x-prop": {"Expression": "object.x__dash__prop > 0"}
+	// - Expression accessing a property named "redact__d": {"Expression": "object.redact__underscores__d > 0"}
+	//
+	// Equality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].
+	// Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
+	// - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and
+	// non-intersecting elements in `Y` are appended, retaining their partial order.
+	// - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values
+	// are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with
+	// non-intersecting keys are appended, retaining their partial order.
+	// Required.
+	Expression *string `json:"expression,omitempty"`
+	// Message represents the message displayed when validation fails. The message is required if the Expression contains
+	// line breaks. The message must not contain line breaks.
+	// If unset, the message is "failed rule: {Rule}".
+	// e.g. "must be a URL with the host matching spec.host"
+	// If the Expression contains line breaks. Message is required.
+	// The message must not contain line breaks.
+	// If unset, the message is "failed Expression: {Expression}".
+	Message *string `json:"message,omitempty"`
+	// Reason represents a machine-readable description of why this validation failed.
+	// If this is the first validation in the list to fail, this reason, as well as the
+	// corresponding HTTP response code, are used in the
+	// HTTP response to the client.
+	// The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+	// If not set, StatusReasonInvalid is used in the response to the client.
+	Reason *metav1.StatusReason `json:"reason,omitempty"`
+	// messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+	// Since messageExpression is used as a failure message, it must evaluate to a string.
+	// If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+	// If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+	// as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+	// that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+	// the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+	// messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+	// Example:
+	// "object.x must be less than max ("+string(params.max)+")"
+	MessageExpression *string `json:"messageExpression,omitempty"`
 }

 // ValidationApplyConfiguration constructs a declarative configuration of the Validation type for use with
--- a/applyconfigurations/admissionregistration/v1/variable.go
+++ b/applyconfigurations/admissionregistration/v1/variable.go
@@ -20,8 +20,15 @@ package v1

 // VariableApplyConfiguration represents a declarative configuration of the Variable type for use
 // with apply.
+//
+// Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.
 type VariableApplyConfiguration struct {
-	Name       *string `json:"name,omitempty"`
+	// Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+	// The variable can be accessed in other expressions through `variables`
+	// For example, if name is "foo", the variable will be available as `variables.foo`
+	Name *string `json:"name,omitempty"`
+	// Expression is the expression that will be evaluated as the value of the variable.
+	// The CEL expression has access to the same identifiers as the CEL expressions in Validation.
 	Expression *string `json:"expression,omitempty"`
 }

--- a/applyconfigurations/admissionregistration/v1/webhookclientconfig.go
+++ b/applyconfigurations/admissionregistration/v1/webhookclientconfig.go
@@ -20,10 +20,44 @@ package v1

 // WebhookClientConfigApplyConfiguration represents a declarative configuration of the WebhookClientConfig type for use
 // with apply.
+//
+// WebhookClientConfig contains the information to make a TLS
+// connection with the webhook
 type WebhookClientConfigApplyConfiguration struct {
-	URL      *string                             `json:"url,omitempty"`
-	Service  *ServiceReferenceApplyConfiguration `json:"service,omitempty"`
-	CABundle []byte                              `json:"caBundle,omitempty"`
+	// `url` gives the location of the webhook, in standard URL form
+	// (`scheme://host:port/path`). Exactly one of `url` or `service`
+	// must be specified.
+	//
+	// The `host` should not refer to a service running in the cluster; use
+	// the `service` field instead. The host might be resolved via external
+	// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
+	// in-cluster DNS as that would be a layering violation). `host` may
+	// also be an IP address.
+	//
+	// Please note that using `localhost` or `127.0.0.1` as a `host` is
+	// risky unless you take great care to run this webhook on all hosts
+	// which run an apiserver which might need to make calls to this
+	// webhook. Such installs are likely to be non-portable, i.e., not easy
+	// to turn up in a new cluster.
+	//
+	// The scheme must be "https"; the URL must begin with "https://".
+	//
+	// A path is optional, and if present may be any string permissible in
+	// a URL. You may use the path to pass an arbitrary string to the
+	// webhook, for example, a cluster identifier.
+	//
+	// Attempting to use a user or basic auth e.g. "user:password@" is not
+	// allowed. Fragments ("#...") and query parameters ("?...") are not
+	// allowed, either.
+	URL *string `json:"url,omitempty"`
+	// `service` is a reference to the service for this webhook. Either
+	// `service` or `url` must be specified.
+	//
+	// If the webhook is running within the cluster, then you should use `service`.
+	Service *ServiceReferenceApplyConfiguration `json:"service,omitempty"`
+	// `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
+	// If unspecified, system trust roots on the apiserver are used.
+	CABundle []byte `json:"caBundle,omitempty"`
 }

 // WebhookClientConfigApplyConfiguration constructs a declarative configuration of the WebhookClientConfig type for use with
--- a/applyconfigurations/admissionregistration/v1alpha1/applyconfiguration.go
+++ b/applyconfigurations/admissionregistration/v1alpha1/applyconfiguration.go
@@ -20,7 +20,49 @@ package v1alpha1

 // ApplyConfigurationApplyConfiguration represents a declarative configuration of the ApplyConfiguration type for use
 // with apply.
+//
+// ApplyConfiguration defines the desired configuration values of an object.
 type ApplyConfigurationApplyConfiguration struct {
+	// expression will be evaluated by CEL to create an apply configuration.
+	// ref: https://github.com/google/cel-spec
+	//
+	// Apply configurations are declared in CEL using object initialization. For example, this CEL expression
+	// returns an apply configuration to set a single field:
+	//
+	// Object{
+	// spec: Object.spec{
+	// serviceAccountName: "example"
+	// }
+	// }
+	//
+	// Apply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of
+	// values not included in the apply configuration.
+	//
+	// CEL expressions have access to the object types needed to create apply configurations:
+	//
+	// - 'Object' - CEL type of the resource object.
+	// - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')
+	// - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')
+	//
+	// CEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:
+	//
+	// - 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// - 'oldObject' - The existing object. The value is null for CREATE requests.
+	// - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
+	// - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
+	// - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
+	// - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
+	// For example, a variable named 'foo' can be accessed as 'variables.foo'.
+	// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	//
+	// The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
+	// object. No other metadata properties are accessible.
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Required.
 	Expression *string `json:"expression,omitempty"`
 }

--- a/applyconfigurations/admissionregistration/v1alpha1/auditannotation.go
+++ b/applyconfigurations/admissionregistration/v1alpha1/auditannotation.go
@@ -20,8 +20,40 @@ package v1alpha1

 // AuditAnnotationApplyConfiguration represents a declarative configuration of the AuditAnnotation type for use
 // with apply.
+//
+// AuditAnnotation describes how to produce an audit annotation for an API request.
 type AuditAnnotationApplyConfiguration struct {
-	Key             *string `json:"key,omitempty"`
+	// key specifies the audit annotation key. The audit annotation keys of
+	// a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+	// name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+	//
+	// The key is combined with the resource name of the
+	// ValidatingAdmissionPolicy to construct an audit annotation key:
+	// "{ValidatingAdmissionPolicy name}/{key}".
+	//
+	// If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+	// and the same audit annotation key, the annotation key will be identical.
+	// In this case, the first annotation written with the key will be included
+	// in the audit event and all subsequent annotations with the same key
+	// will be discarded.
+	//
+	// Required.
+	Key *string `json:"key,omitempty"`
+	// valueExpression represents the expression which is evaluated by CEL to
+	// produce an audit annotation value. The expression must evaluate to either
+	// a string or null value. If the expression evaluates to a string, the
+	// audit annotation is included with the string value. If the expression
+	// evaluates to null or empty string the audit annotation will be omitted.
+	// The valueExpression may be no longer than 5kb in length.
+	// If the result of the valueExpression is more than 10kb in length, it
+	// will be truncated to 10kb.
+	//
+	// If multiple ValidatingAdmissionPolicyBinding resources match an
+	// API request, then the valueExpression will be evaluated for
+	// each binding. All unique values produced by the valueExpressions
+	// will be joined together in a comma-separated list.
+	//
+	// Required.
 	ValueExpression *string `json:"valueExpression,omitempty"`
 }

--- a/applyconfigurations/admissionregistration/v1alpha1/expressionwarning.go
+++ b/applyconfigurations/admissionregistration/v1alpha1/expressionwarning.go
@@ -20,9 +20,17 @@ package v1alpha1

 // ExpressionWarningApplyConfiguration represents a declarative configuration of the ExpressionWarning type for use
 // with apply.
+//
+// ExpressionWarning is a warning information that targets a specific expression.
 type ExpressionWarningApplyConfiguration struct {
+	// The path to the field that refers the expression.
+	// For example, the reference to the expression of the first item of
+	// validations is "spec.validations[0].expression"
 	FieldRef *string `json:"fieldRef,omitempty"`
-	Warning  *string `json:"warning,omitempty"`
+	// The content of type checking information in a human-readable form.
+	// Each line of the warning contains the type that the expression is checked
+	// against, followed by the type check error from the compiler.
+	Warning *string `json:"warning,omitempty"`
 }

 // ExpressionWarningApplyConfiguration constructs a declarative configuration of the ExpressionWarning type for use with
--- a/applyconfigurations/admissionregistration/v1alpha1/jsonpatch.go
+++ b/applyconfigurations/admissionregistration/v1alpha1/jsonpatch.go
@@ -20,7 +20,73 @@ package v1alpha1

 // JSONPatchApplyConfiguration represents a declarative configuration of the JSONPatch type for use
 // with apply.
+//
+// JSONPatch defines a JSON Patch.
 type JSONPatchApplyConfiguration struct {
+	// expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/).
+	// ref: https://github.com/google/cel-spec
+	//
+	// expression must return an array of JSONPatch values.
+	//
+	// For example, this CEL expression returns a JSON patch to conditionally modify a value:
+	//
+	// [
+	// JSONPatch{op: "test", path: "/spec/example", value: "Red"},
+	// JSONPatch{op: "replace", path: "/spec/example", value: "Green"}
+	// ]
+	//
+	// To define an object for the patch value, use Object types. For example:
+	//
+	// [
+	// JSONPatch{
+	// op: "add",
+	// path: "/spec/selector",
+	// value: Object.spec.selector{matchLabels: {"environment": "test"}}
+	// }
+	// ]
+	//
+	// To use strings containing '/' and '~' as JSONPatch path keys, use "jsonpatch.escapeKey". For example:
+	//
+	// [
+	// JSONPatch{
+	// op: "add",
+	// path: "/metadata/labels/" + jsonpatch.escapeKey("example.com/environment"),
+	// value: "test"
+	// },
+	// ]
+	//
+	// CEL expressions have access to the types needed to create JSON patches and objects:
+	//
+	// - 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.
+	// See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,
+	// integer, array, map or object.  If set, the 'path' and 'from' fields must be set to a
+	// [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL
+	// function may be used to escape path keys containing '/' and '~'.
+	// - 'Object' - CEL type of the resource object.
+	// - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')
+	// - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')
+	//
+	// CEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:
+	//
+	// - 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// - 'oldObject' - The existing object. The value is null for CREATE requests.
+	// - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
+	// - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
+	// - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
+	// - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
+	// For example, a variable named 'foo' can be accessed as 'variables.foo'.
+	// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	//
+	// CEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries)
+	// as well as:
+	//
+	// - 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and  '/' are escaped as '~0' and `~1' respectively).
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Required.
 	Expression *string `json:"expression,omitempty"`
 }

--- a/applyconfigurations/admissionregistration/v1alpha1/matchcondition.go
+++ b/applyconfigurations/admissionregistration/v1alpha1/matchcondition.go
@@ -21,7 +21,29 @@ package v1alpha1
 // MatchConditionApplyConfiguration represents a declarative configuration of the MatchCondition type for use
 // with apply.
 type MatchConditionApplyConfiguration struct {
-	Name       *string `json:"name,omitempty"`
+	// Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+	// as well as providing an identifier for logging purposes. A good name should be descriptive of
+	// the associated expression.
+	// Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+	// must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+	// '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+	// optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+	//
+	// Required.
+	Name *string `json:"name,omitempty"`
+	// Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+	// CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+	//
+	// 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// 'oldObject' - The existing object. The value is null for CREATE requests.
+	// 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+	// 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+	//
+	// Required.
 	Expression *string `json:"expression,omitempty"`
 }

--- a/applyconfigurations/admissionregistration/v1alpha1/matchresources.go
+++ b/applyconfigurations/admissionregistration/v1alpha1/matchresources.go
@@ -25,12 +25,89 @@ import (

 // MatchResourcesApplyConfiguration represents a declarative configuration of the MatchResources type for use
 // with apply.
+//
+// MatchResources decides whether to run the admission control policy on an object based
+// on whether it meets the match criteria.
+// The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
 type MatchResourcesApplyConfiguration struct {
-	NamespaceSelector    *v1.LabelSelectorApplyConfiguration            `json:"namespaceSelector,omitempty"`
-	ObjectSelector       *v1.LabelSelectorApplyConfiguration            `json:"objectSelector,omitempty"`
-	ResourceRules        []NamedRuleWithOperationsApplyConfiguration    `json:"resourceRules,omitempty"`
-	ExcludeResourceRules []NamedRuleWithOperationsApplyConfiguration    `json:"excludeResourceRules,omitempty"`
-	MatchPolicy          *admissionregistrationv1alpha1.MatchPolicyType `json:"matchPolicy,omitempty"`
+	// NamespaceSelector decides whether to run the admission control policy on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the policy.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "runlevel",
+	// "operator": "NotIn",
+	// "values": [
+	// "0",
+	// "1"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// If instead you want to only run the policy on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "environment",
+	// "operator": "In",
+	// "values": [
+	// "prod",
+	// "staging"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	NamespaceSelector *v1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
+	// ObjectSelector decides whether to run the policy based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the policy's expression (CEL), and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	ObjectSelector *v1.LabelSelectorApplyConfiguration `json:"objectSelector,omitempty"`
+	// ResourceRules describes what operations on what resources/subresources the admission policy matches.
+	// The policy cares about an operation if it matches _any_ Rule.
+	ResourceRules []NamedRuleWithOperationsApplyConfiguration `json:"resourceRules,omitempty"`
+	// ExcludeResourceRules describes what operations on what resources/subresources the policy should not care about.
+	// The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
+	ExcludeResourceRules []NamedRuleWithOperationsApplyConfiguration `json:"excludeResourceRules,omitempty"`
+	// matchPolicy defines how the "MatchResources" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// the admission policy does not consider requests to apps/v1beta1 or extensions/v1beta1 API groups.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// the admission policy **does** consider requests made to apps/v1beta1 or extensions/v1beta1
+	// API groups. The API server translates the request to a matched resource API if necessary.
+	//
+	// Defaults to "Equivalent"
+	MatchPolicy *admissionregistrationv1alpha1.MatchPolicyType `json:"matchPolicy,omitempty"`
 }

 // MatchResourcesApplyConfiguration constructs a declarative configuration of the MatchResources type for use with
--- a/applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicy.go
+++ b/applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicy.go
@@ -29,10 +29,14 @@ import (

 // MutatingAdmissionPolicyApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicy type for use
 // with apply.
+//
+// MutatingAdmissionPolicy describes the definition of an admission mutation policy that mutates the object coming into admission chain.
 type MutatingAdmissionPolicyApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *MutatingAdmissionPolicySpecApplyConfiguration `json:"spec,omitempty"`
+	// Specification of the desired behavior of the MutatingAdmissionPolicy.
+	Spec *MutatingAdmissionPolicySpecApplyConfiguration `json:"spec,omitempty"`
 }

 // MutatingAdmissionPolicy constructs a declarative configuration of the MutatingAdmissionPolicy type for use with
@@ -45,29 +49,14 @@ func MutatingAdmissionPolicy(name string) *MutatingAdmissionPolicyApplyConfigura
 	return b
 }

-// ExtractMutatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
-// mutatingAdmissionPolicy. If no managedFields are found in mutatingAdmissionPolicy for fieldManager, a
-// MutatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractMutatingAdmissionPolicyFrom extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicy for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // mutatingAdmissionPolicy must be a unmodified MutatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
-// ExtractMutatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractMutatingAdmissionPolicyFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractMutatingAdmissionPolicy(mutatingAdmissionPolicy *admissionregistrationv1alpha1.MutatingAdmissionPolicy, fieldManager string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
-	return extractMutatingAdmissionPolicy(mutatingAdmissionPolicy, fieldManager, "")
-}
-
-// ExtractMutatingAdmissionPolicyStatus is the same as ExtractMutatingAdmissionPolicy except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractMutatingAdmissionPolicyStatus(mutatingAdmissionPolicy *admissionregistrationv1alpha1.MutatingAdmissionPolicy, fieldManager string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
-	return extractMutatingAdmissionPolicy(mutatingAdmissionPolicy, fieldManager, "status")
-}
-
-func extractMutatingAdmissionPolicy(mutatingAdmissionPolicy *admissionregistrationv1alpha1.MutatingAdmissionPolicy, fieldManager string, subresource string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
+func ExtractMutatingAdmissionPolicyFrom(mutatingAdmissionPolicy *admissionregistrationv1alpha1.MutatingAdmissionPolicy, fieldManager string, subresource string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
 	b := &MutatingAdmissionPolicyApplyConfiguration{}
 	err := managedfields.ExtractInto(mutatingAdmissionPolicy, internal.Parser().Type("io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicy"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +68,21 @@ func extractMutatingAdmissionPolicy(mutatingAdmissionPolicy *admissionregistrati
 	b.WithAPIVersion("admissionregistration.k8s.io/v1alpha1")
 	return b, nil
 }
+
+// ExtractMutatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicy. If no managedFields are found in mutatingAdmissionPolicy for fieldManager, a
+// MutatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// mutatingAdmissionPolicy must be a unmodified MutatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
+// ExtractMutatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractMutatingAdmissionPolicy(mutatingAdmissionPolicy *admissionregistrationv1alpha1.MutatingAdmissionPolicy, fieldManager string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
+	return ExtractMutatingAdmissionPolicyFrom(mutatingAdmissionPolicy, fieldManager, "")
+}
+
 func (b MutatingAdmissionPolicyApplyConfiguration) IsApplyConfiguration() {}

 // WithKind sets the Kind field in the declarative configuration to the given value
--- a/applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicybinding.go
+++ b/applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicybinding.go
@@ -29,10 +29,24 @@ import (

 // MutatingAdmissionPolicyBindingApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicyBinding type for use
 // with apply.
+//
+// MutatingAdmissionPolicyBinding binds the MutatingAdmissionPolicy with parametrized resources.
+// MutatingAdmissionPolicyBinding and the optional parameter resource together define how cluster administrators
+// configure policies for clusters.
+//
+// For a given admission request, each binding will cause its policy to be
+// evaluated N times, where N is 1 for policies/bindings that don't use
+// params, otherwise N is the number of parameters selected by the binding.
+// Each evaluation is constrained by a [runtime cost budget](https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget).
+//
+// Adding/removing policies, bindings, or params can not affect whether a
+// given (policy, binding, param) combination is within its own CEL budget.
 type MutatingAdmissionPolicyBindingApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *MutatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
+	// Specification of the desired behavior of the MutatingAdmissionPolicyBinding.
+	Spec *MutatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
 }

 // MutatingAdmissionPolicyBinding constructs a declarative configuration of the MutatingAdmissionPolicyBinding type for use with
@@ -45,29 +59,14 @@ func MutatingAdmissionPolicyBinding(name string) *MutatingAdmissionPolicyBinding
 	return b
 }

-// ExtractMutatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
-// mutatingAdmissionPolicyBinding. If no managedFields are found in mutatingAdmissionPolicyBinding for fieldManager, a
-// MutatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractMutatingAdmissionPolicyBindingFrom extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicyBinding for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // mutatingAdmissionPolicyBinding must be a unmodified MutatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
-// ExtractMutatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractMutatingAdmissionPolicyBindingFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding *admissionregistrationv1alpha1.MutatingAdmissionPolicyBinding, fieldManager string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding, fieldManager, "")
-}
-
-// ExtractMutatingAdmissionPolicyBindingStatus is the same as ExtractMutatingAdmissionPolicyBinding except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractMutatingAdmissionPolicyBindingStatus(mutatingAdmissionPolicyBinding *admissionregistrationv1alpha1.MutatingAdmissionPolicyBinding, fieldManager string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding, fieldManager, "status")
-}
-
-func extractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding *admissionregistrationv1alpha1.MutatingAdmissionPolicyBinding, fieldManager string, subresource string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
+func ExtractMutatingAdmissionPolicyBindingFrom(mutatingAdmissionPolicyBinding *admissionregistrationv1alpha1.MutatingAdmissionPolicyBinding, fieldManager string, subresource string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
 	b := &MutatingAdmissionPolicyBindingApplyConfiguration{}
 	err := managedfields.ExtractInto(mutatingAdmissionPolicyBinding, internal.Parser().Type("io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBinding"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +78,21 @@ func extractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding *admis
 	b.WithAPIVersion("admissionregistration.k8s.io/v1alpha1")
 	return b, nil
 }
+
+// ExtractMutatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicyBinding. If no managedFields are found in mutatingAdmissionPolicyBinding for fieldManager, a
+// MutatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// mutatingAdmissionPolicyBinding must be a unmodified MutatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
+// ExtractMutatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding *admissionregistrationv1alpha1.MutatingAdmissionPolicyBinding, fieldManager string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
+	return ExtractMutatingAdmissionPolicyBindingFrom(mutatingAdmissionPolicyBinding, fieldManager, "")
+}
+
 func (b MutatingAdmissionPolicyBindingApplyConfiguration) IsApplyConfiguration() {}

 // WithKind sets the Kind field in the declarative configuration to the given value
--- a/applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicybindingspec.go
+++ b/applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicybindingspec.go
@@ -20,9 +20,27 @@ package v1alpha1

 // MutatingAdmissionPolicyBindingSpecApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicyBindingSpec type for use
 // with apply.
+//
+// MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding.
 type MutatingAdmissionPolicyBindingSpecApplyConfiguration struct {
-	PolicyName     *string                           `json:"policyName,omitempty"`
-	ParamRef       *ParamRefApplyConfiguration       `json:"paramRef,omitempty"`
+	// policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to.
+	// If the referenced resource does not exist, this binding is considered invalid and will be ignored
+	// Required.
+	PolicyName *string `json:"policyName,omitempty"`
+	// paramRef specifies the parameter resource used to configure the admission control policy.
+	// It should point to a resource of the type specified in spec.ParamKind of the bound MutatingAdmissionPolicy.
+	// If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the MutatingAdmissionPolicy applied.
+	// If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.
+	ParamRef *ParamRefApplyConfiguration `json:"paramRef,omitempty"`
+	// matchResources limits what resources match this binding and may be mutated by it.
+	// Note that if matchResources matches a resource, the resource must also match a policy's matchConstraints and
+	// matchConditions before the resource may be mutated.
+	// When matchResources is unset, it does not constrain resource matching, and only the policy's matchConstraints
+	// and matchConditions must match for the resource to be mutated.
+	// Additionally, matchResources.resourceRules are optional and do not constraint matching when unset.
+	// Note that this is differs from MutatingAdmissionPolicy matchConstraints, where resourceRules are required.
+	// The CREATE, UPDATE and CONNECT operations are allowed.  The DELETE operation may not be matched.
+	// '*' matches CREATE, UPDATE and CONNECT.
 	MatchResources *MatchResourcesApplyConfiguration `json:"matchResources,omitempty"`
 }

--- a/applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicyspec.go
+++ b/applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicyspec.go
@@ -25,14 +25,74 @@ import (

 // MutatingAdmissionPolicySpecApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicySpec type for use
 // with apply.
+//
+// MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy.
 type MutatingAdmissionPolicySpecApplyConfiguration struct {
-	ParamKind          *ParamKindApplyConfiguration                     `json:"paramKind,omitempty"`
-	MatchConstraints   *MatchResourcesApplyConfiguration                `json:"matchConstraints,omitempty"`
-	Variables          []VariableApplyConfiguration                     `json:"variables,omitempty"`
-	Mutations          []MutationApplyConfiguration                     `json:"mutations,omitempty"`
-	FailurePolicy      *admissionregistrationv1alpha1.FailurePolicyType `json:"failurePolicy,omitempty"`
-	MatchConditions    []MatchConditionApplyConfiguration               `json:"matchConditions,omitempty"`
-	ReinvocationPolicy *v1.ReinvocationPolicyType                       `json:"reinvocationPolicy,omitempty"`
+	// paramKind specifies the kind of resources used to parameterize this policy.
+	// If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
+	// If paramKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
+	// If paramKind is specified but paramRef is unset in MutatingAdmissionPolicyBinding, the params variable will be null.
+	ParamKind *ParamKindApplyConfiguration `json:"paramKind,omitempty"`
+	// matchConstraints specifies what resources this policy is designed to validate.
+	// The MutatingAdmissionPolicy cares about a request if it matches _all_ Constraints.
+	// However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
+	// MutatingAdmissionPolicy cannot match MutatingAdmissionPolicy and MutatingAdmissionPolicyBinding.
+	// The CREATE, UPDATE and CONNECT operations are allowed.  The DELETE operation may not be matched.
+	// '*' matches CREATE, UPDATE and CONNECT.
+	// Required.
+	MatchConstraints *MatchResourcesApplyConfiguration `json:"matchConstraints,omitempty"`
+	// variables contain definitions of variables that can be used in composition of other expressions.
+	// Each variable is defined as a named CEL expression.
+	// The variables defined here will be available under `variables` in other expressions of the policy
+	// except matchConditions because matchConditions are evaluated before the rest of the policy.
+	//
+	// The expression of a variable can refer to other variables defined earlier in the list but not those after.
+	// Thus, variables must be sorted by the order of first appearance and acyclic.
+	Variables []VariableApplyConfiguration `json:"variables,omitempty"`
+	// mutations contain operations to perform on matching objects.
+	// mutations may not be empty; a minimum of one mutation is required.
+	// mutations are evaluated in order, and are reinvoked according to
+	// the reinvocationPolicy.
+	// The mutations of a policy are invoked for each binding of this policy
+	// and reinvocation of mutations occurs on a per binding basis.
+	Mutations []MutationApplyConfiguration `json:"mutations,omitempty"`
+	// failurePolicy defines how to handle failures for the admission policy. Failures can
+	// occur from CEL expression parse errors, type check errors, runtime errors and invalid
+	// or mis-configured policy definitions or bindings.
+	//
+	// A policy is invalid if paramKind refers to a non-existent Kind.
+	// A binding is invalid if paramRef.name refers to a non-existent resource.
+	//
+	// failurePolicy does not define how validations that evaluate to false are handled.
+	//
+	// Allowed values are Ignore or Fail. Defaults to Fail.
+	FailurePolicy *admissionregistrationv1alpha1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// matchConditions is a list of conditions that must be met for a request to be validated.
+	// Match conditions filter requests that have already been matched by the matchConstraints.
+	// An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// If a parameter object is provided, it can be accessed via the `params` handle in the same
+	// manner as validation expressions.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the policy is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
+	// reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding
+	// as part of a single admission evaluation.
+	// Allowed values are "Never" and "IfNeeded".
+	//
+	// Never: These mutations will not be called more than once per binding in a single admission evaluation.
+	//
+	// IfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of
+	// order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies.  Mutations are only
+	// reinvoked when mutations change the object after this mutation is invoked.
+	// Required.
+	ReinvocationPolicy *v1.ReinvocationPolicyType `json:"reinvocationPolicy,omitempty"`
 }

 // MutatingAdmissionPolicySpecApplyConfiguration constructs a declarative configuration of the MutatingAdmissionPolicySpec type for use with
--- a/applyconfigurations/admissionregistration/v1alpha1/mutation.go
+++ b/applyconfigurations/admissionregistration/v1alpha1/mutation.go
@@ -24,10 +24,21 @@ import (

 // MutationApplyConfiguration represents a declarative configuration of the Mutation type for use
 // with apply.
+//
+// Mutation specifies the CEL expression which is used to apply the Mutation.
 type MutationApplyConfiguration struct {
-	PatchType          *admissionregistrationv1alpha1.PatchType `json:"patchType,omitempty"`
-	ApplyConfiguration *ApplyConfigurationApplyConfiguration    `json:"applyConfiguration,omitempty"`
-	JSONPatch          *JSONPatchApplyConfiguration             `json:"jsonPatch,omitempty"`
+	// patchType indicates the patch strategy used.
+	// Allowed values are "ApplyConfiguration" and "JSONPatch".
+	// Required.
+	PatchType *admissionregistrationv1alpha1.PatchType `json:"patchType,omitempty"`
+	// applyConfiguration defines the desired configuration values of an object.
+	// The configuration is applied to the admission object using
+	// [structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff).
+	// A CEL expression is used to create apply configuration.
+	ApplyConfiguration *ApplyConfigurationApplyConfiguration `json:"applyConfiguration,omitempty"`
+	// jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object.
+	// A CEL expression is used to create the JSON patch.
+	JSONPatch *JSONPatchApplyConfiguration `json:"jsonPatch,omitempty"`
 }

 // MutationApplyConfiguration constructs a declarative configuration of the Mutation type for use with
--- a/applyconfigurations/admissionregistration/v1alpha1/namedrulewithoperations.go
+++ b/applyconfigurations/admissionregistration/v1alpha1/namedrulewithoperations.go
@@ -25,8 +25,12 @@ import (

 // NamedRuleWithOperationsApplyConfiguration represents a declarative configuration of the NamedRuleWithOperations type for use
 // with apply.
+//
+// NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.
 type NamedRuleWithOperationsApplyConfiguration struct {
-	ResourceNames                           []string `json:"resourceNames,omitempty"`
+	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+	ResourceNames []string `json:"resourceNames,omitempty"`
+	// RuleWithOperations is a tuple of Operations and Resources.
 	v1.RuleWithOperationsApplyConfiguration `json:",inline"`
 }

--- a/applyconfigurations/admissionregistration/v1alpha1/paramkind.go
+++ b/applyconfigurations/admissionregistration/v1alpha1/paramkind.go
@@ -20,9 +20,16 @@ package v1alpha1

 // ParamKindApplyConfiguration represents a declarative configuration of the ParamKind type for use
 // with apply.
+//
+// ParamKind is a tuple of Group Kind and Version.
 type ParamKindApplyConfiguration struct {
+	// APIVersion is the API group version the resources belong to.
+	// In format of "group/version".
+	// Required.
 	APIVersion *string `json:"apiVersion,omitempty"`
-	Kind       *string `json:"kind,omitempty"`
+	// Kind is the API kind the resources belong to.
+	// Required.
+	Kind *string `json:"kind,omitempty"`
 }

 // ParamKindApplyConfiguration constructs a declarative configuration of the ParamKind type for use with
--- a/applyconfigurations/admissionregistration/v1alpha1/paramref.go
+++ b/applyconfigurations/admissionregistration/v1alpha1/paramref.go
@@ -25,10 +25,48 @@ import (

 // ParamRefApplyConfiguration represents a declarative configuration of the ParamRef type for use
 // with apply.
+//
+// ParamRef describes how to locate the params to be used as input to
+// expressions of rules applied by a policy binding.
 type ParamRefApplyConfiguration struct {
-	Name                    *string                                                    `json:"name,omitempty"`
-	Namespace               *string                                                    `json:"namespace,omitempty"`
-	Selector                *v1.LabelSelectorApplyConfiguration                        `json:"selector,omitempty"`
+	// `name` is the name of the resource being referenced.
+	//
+	// `name` and `selector` are mutually exclusive properties. If one is set,
+	// the other must be unset.
+	Name *string `json:"name,omitempty"`
+	// namespace is the namespace of the referenced resource. Allows limiting
+	// the search for params to a specific namespace. Applies to both `name` and
+	// `selector` fields.
+	//
+	// A per-namespace parameter may be used by specifying a namespace-scoped
+	// `paramKind` in the policy and leaving this field empty.
+	//
+	// - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+	// field results in a configuration error.
+	//
+	// - If `paramKind` is namespace-scoped, the namespace of the object being
+	// evaluated for admission will be used when this field is left unset. Take
+	// care that if this is left empty the binding must not match any cluster-scoped
+	// resources, which will result in an error.
+	Namespace *string `json:"namespace,omitempty"`
+	// selector can be used to match multiple param objects based on their labels.
+	// Supply selector: {} to match all resources of the ParamKind.
+	//
+	// If multiple params are found, they are all evaluated with the policy expressions
+	// and the results are ANDed together.
+	//
+	// One of `name` or `selector` must be set, but `name` and `selector` are
+	// mutually exclusive properties. If one is set, the other must be unset.
+	Selector *v1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// `parameterNotFoundAction` controls the behavior of the binding when the resource
+	// exists, and name or selector is valid, but there are no parameters
+	// matched by the binding. If the value is set to `Allow`, then no
+	// matched parameters will be treated as successful validation by the binding.
+	// If set to `Deny`, then no matched parameters will be subject to the
+	// `failurePolicy` of the policy.
+	//
+	// Allowed values are `Allow` or `Deny`
+	// Default to `Deny`
 	ParameterNotFoundAction *admissionregistrationv1alpha1.ParameterNotFoundActionType `json:"parameterNotFoundAction,omitempty"`
 }

--- a/applyconfigurations/admissionregistration/v1alpha1/typechecking.go
+++ b/applyconfigurations/admissionregistration/v1alpha1/typechecking.go
@@ -20,7 +20,11 @@ package v1alpha1

 // TypeCheckingApplyConfiguration represents a declarative configuration of the TypeChecking type for use
 // with apply.
+//
+// TypeChecking contains results of type checking the expressions in the
+// ValidatingAdmissionPolicy
 type TypeCheckingApplyConfiguration struct {
+	// The type checking warnings for each expression.
 	ExpressionWarnings []ExpressionWarningApplyConfiguration `json:"expressionWarnings,omitempty"`
 }

--- a/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicy.go
+++ b/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicy.go
@@ -29,11 +29,19 @@ import (

 // ValidatingAdmissionPolicyApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicy type for use
 // with apply.
+//
+// ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.
 type ValidatingAdmissionPolicyApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ValidatingAdmissionPolicySpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *ValidatingAdmissionPolicyStatusApplyConfiguration `json:"status,omitempty"`
+	// Specification of the desired behavior of the ValidatingAdmissionPolicy.
+	Spec *ValidatingAdmissionPolicySpecApplyConfiguration `json:"spec,omitempty"`
+	// The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy
+	// behaves in the expected way.
+	// Populated by the system.
+	// Read-only.
+	Status *ValidatingAdmissionPolicyStatusApplyConfiguration `json:"status,omitempty"`
 }

 // ValidatingAdmissionPolicy constructs a declarative configuration of the ValidatingAdmissionPolicy type for use with
@@ -46,29 +54,14 @@ func ValidatingAdmissionPolicy(name string) *ValidatingAdmissionPolicyApplyConfi
 	return b
 }

-// ExtractValidatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
-// validatingAdmissionPolicy. If no managedFields are found in validatingAdmissionPolicy for fieldManager, a
-// ValidatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractValidatingAdmissionPolicyFrom extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicy for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // validatingAdmissionPolicy must be a unmodified ValidatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
-// ExtractValidatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractValidatingAdmissionPolicyFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicy(validatingAdmissionPolicy, fieldManager, "")
-}
-
-// ExtractValidatingAdmissionPolicyStatus is the same as ExtractValidatingAdmissionPolicy except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractValidatingAdmissionPolicyStatus(validatingAdmissionPolicy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicy(validatingAdmissionPolicy, fieldManager, "status")
-}
-
-func extractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy, fieldManager string, subresource string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
+func ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy, fieldManager string, subresource string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
 	b := &ValidatingAdmissionPolicyApplyConfiguration{}
 	err := managedfields.ExtractInto(validatingAdmissionPolicy, internal.Parser().Type("io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy"), fieldManager, b, subresource)
 	if err != nil {
@@ -80,6 +73,27 @@ func extractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregist
 	b.WithAPIVersion("admissionregistration.k8s.io/v1alpha1")
 	return b, nil
 }
+
+// ExtractValidatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicy. If no managedFields are found in validatingAdmissionPolicy for fieldManager, a
+// ValidatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// validatingAdmissionPolicy must be a unmodified ValidatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
+// ExtractValidatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
+	return ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy, fieldManager, "")
+}
+
+// ExtractValidatingAdmissionPolicyStatus extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicy for the status subresource.
+func ExtractValidatingAdmissionPolicyStatus(validatingAdmissionPolicy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
+	return ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy, fieldManager, "status")
+}
+
 func (b ValidatingAdmissionPolicyApplyConfiguration) IsApplyConfiguration() {}

 // WithKind sets the Kind field in the declarative configuration to the given value
--- a/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicybinding.go
+++ b/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicybinding.go
@@ -29,10 +29,24 @@ import (

 // ValidatingAdmissionPolicyBindingApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyBinding type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources.
+// ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.
+//
+// For a given admission request, each binding will cause its policy to be
+// evaluated N times, where N is 1 for policies/bindings that don't use
+// params, otherwise N is the number of parameters selected by the binding.
+//
+// The CEL expressions of a policy must have a computed CEL cost below the maximum
+// CEL budget. Each evaluation of the policy is given an independent CEL cost budget.
+// Adding/removing policies, bindings, or params can not affect whether a
+// given (policy, binding, param) combination is within its own CEL budget.
 type ValidatingAdmissionPolicyBindingApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ValidatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
+	// Specification of the desired behavior of the ValidatingAdmissionPolicyBinding.
+	Spec *ValidatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
 }

 // ValidatingAdmissionPolicyBinding constructs a declarative configuration of the ValidatingAdmissionPolicyBinding type for use with
@@ -45,29 +59,14 @@ func ValidatingAdmissionPolicyBinding(name string) *ValidatingAdmissionPolicyBin
 	return b
 }

-// ExtractValidatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
-// validatingAdmissionPolicyBinding. If no managedFields are found in validatingAdmissionPolicyBinding for fieldManager, a
-// ValidatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractValidatingAdmissionPolicyBindingFrom extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicyBinding for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // validatingAdmissionPolicyBinding must be a unmodified ValidatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
-// ExtractValidatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractValidatingAdmissionPolicyBindingFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding, fieldManager, "")
-}
-
-// ExtractValidatingAdmissionPolicyBindingStatus is the same as ExtractValidatingAdmissionPolicyBinding except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractValidatingAdmissionPolicyBindingStatus(validatingAdmissionPolicyBinding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding, fieldManager, "status")
-}
-
-func extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, fieldManager string, subresource string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
+func ExtractValidatingAdmissionPolicyBindingFrom(validatingAdmissionPolicyBinding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, fieldManager string, subresource string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
 	b := &ValidatingAdmissionPolicyBindingApplyConfiguration{}
 	err := managedfields.ExtractInto(validatingAdmissionPolicyBinding, internal.Parser().Type("io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBinding"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +78,21 @@ func extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *a
 	b.WithAPIVersion("admissionregistration.k8s.io/v1alpha1")
 	return b, nil
 }
+
+// ExtractValidatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicyBinding. If no managedFields are found in validatingAdmissionPolicyBinding for fieldManager, a
+// ValidatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// validatingAdmissionPolicyBinding must be a unmodified ValidatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
+// ExtractValidatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
+	return ExtractValidatingAdmissionPolicyBindingFrom(validatingAdmissionPolicyBinding, fieldManager, "")
+}
+
 func (b ValidatingAdmissionPolicyBindingApplyConfiguration) IsApplyConfiguration() {}

 // WithKind sets the Kind field in the declarative configuration to the given value
--- a/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicybindingspec.go
+++ b/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicybindingspec.go
@@ -24,10 +24,63 @@ import (

 // ValidatingAdmissionPolicyBindingSpecApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyBindingSpec type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.
 type ValidatingAdmissionPolicyBindingSpecApplyConfiguration struct {
-	PolicyName        *string                                          `json:"policyName,omitempty"`
-	ParamRef          *ParamRefApplyConfiguration                      `json:"paramRef,omitempty"`
-	MatchResources    *MatchResourcesApplyConfiguration                `json:"matchResources,omitempty"`
+	// PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to.
+	// If the referenced resource does not exist, this binding is considered invalid and will be ignored
+	// Required.
+	PolicyName *string `json:"policyName,omitempty"`
+	// paramRef specifies the parameter resource used to configure the admission control policy.
+	// It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy.
+	// If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied.
+	// If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.
+	ParamRef *ParamRefApplyConfiguration `json:"paramRef,omitempty"`
+	// MatchResources declares what resources match this binding and will be validated by it.
+	// Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this.
+	// If this is unset, all resources matched by the policy are validated by this binding
+	// When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated.
+	// Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required.
+	MatchResources *MatchResourcesApplyConfiguration `json:"matchResources,omitempty"`
+	// validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced.
+	// If a validation evaluates to false it is always enforced according to these actions.
+	//
+	// Failures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according
+	// to these actions only if the FailurePolicy is set to Fail, otherwise the failures are
+	// ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.
+	//
+	// validationActions is declared as a set of action values. Order does
+	// not matter. validationActions may not contain duplicates of the same action.
+	//
+	// The supported actions values are:
+	//
+	// "Deny" specifies that a validation failure results in a denied request.
+	//
+	// "Warn" specifies that a validation failure is reported to the request client
+	// in HTTP Warning headers, with a warning code of 299. Warnings can be sent
+	// both for allowed or denied admission responses.
+	//
+	// "Audit" specifies that a validation failure is included in the published
+	// audit event for the request. The audit event will contain a
+	// `validation.policy.admission.k8s.io/validation_failure` audit annotation
+	// with a value containing the details of the validation failures, formatted as
+	// a JSON list of objects, each with the following fields:
+	// - message: The validation failure message string
+	// - policy: The resource name of the ValidatingAdmissionPolicy
+	// - binding: The resource name of the ValidatingAdmissionPolicyBinding
+	// - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy
+	// - validationActions: The enforcement actions enacted for the validation failure
+	// Example audit annotation:
+	// `"validation.policy.admission.k8s.io/validation_failure": "[{\"message\": \"Invalid value\", {\"policy\": \"policy.example.com\", {\"binding\": \"policybinding.example.com\", {\"expressionIndex\": \"1\", {\"validationActions\": [\"Audit\"]}]"`
+	//
+	// Clients should expect to handle additional values by ignoring
+	// any values not recognized.
+	//
+	// "Deny" and "Warn" may not be used together since this combination
+	// needlessly duplicates the validation failure both in the
+	// API response body and the HTTP warning headers.
+	//
+	// Required.
 	ValidationActions []admissionregistrationv1alpha1.ValidationAction `json:"validationActions,omitempty"`
 }

--- a/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicyspec.go
+++ b/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicyspec.go
@@ -24,14 +24,66 @@ import (

 // ValidatingAdmissionPolicySpecApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicySpec type for use
 // with apply.
+//
+// ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.
 type ValidatingAdmissionPolicySpecApplyConfiguration struct {
-	ParamKind        *ParamKindApplyConfiguration                     `json:"paramKind,omitempty"`
-	MatchConstraints *MatchResourcesApplyConfiguration                `json:"matchConstraints,omitempty"`
-	Validations      []ValidationApplyConfiguration                   `json:"validations,omitempty"`
-	FailurePolicy    *admissionregistrationv1alpha1.FailurePolicyType `json:"failurePolicy,omitempty"`
-	AuditAnnotations []AuditAnnotationApplyConfiguration              `json:"auditAnnotations,omitempty"`
-	MatchConditions  []MatchConditionApplyConfiguration               `json:"matchConditions,omitempty"`
-	Variables        []VariableApplyConfiguration                     `json:"variables,omitempty"`
+	// ParamKind specifies the kind of resources used to parameterize this policy.
+	// If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
+	// If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
+	// If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.
+	ParamKind *ParamKindApplyConfiguration `json:"paramKind,omitempty"`
+	// MatchConstraints specifies what resources this policy is designed to validate.
+	// The AdmissionPolicy cares about a request if it matches _all_ Constraints.
+	// However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
+	// ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding.
+	// Required.
+	MatchConstraints *MatchResourcesApplyConfiguration `json:"matchConstraints,omitempty"`
+	// Validations contain CEL expressions which is used to apply the validation.
+	// Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is
+	// required.
+	Validations []ValidationApplyConfiguration `json:"validations,omitempty"`
+	// failurePolicy defines how to handle failures for the admission policy. Failures can
+	// occur from CEL expression parse errors, type check errors, runtime errors and invalid
+	// or mis-configured policy definitions or bindings.
+	//
+	// A policy is invalid if spec.paramKind refers to a non-existent Kind.
+	// A binding is invalid if spec.paramRef.name refers to a non-existent resource.
+	//
+	// failurePolicy does not define how validations that evaluate to false are handled.
+	//
+	// When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions
+	// define how failures are enforced.
+	//
+	// Allowed values are Ignore or Fail. Defaults to Fail.
+	FailurePolicy *admissionregistrationv1alpha1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// auditAnnotations contains CEL expressions which are used to produce audit
+	// annotations for the audit event of the API request.
+	// validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is
+	// required.
+	AuditAnnotations []AuditAnnotationApplyConfiguration `json:"auditAnnotations,omitempty"`
+	// MatchConditions is a list of conditions that must be met for a request to be validated.
+	// Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// If a parameter object is provided, it can be accessed via the `params` handle in the same
+	// manner as validation expressions.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the policy is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
+	// Variables contain definitions of variables that can be used in composition of other expressions.
+	// Each variable is defined as a named CEL expression.
+	// The variables defined here will be available under `variables` in other expressions of the policy
+	// except MatchConditions because MatchConditions are evaluated before the rest of the policy.
+	//
+	// The expression of a variable can refer to other variables defined earlier in the list but not those after.
+	// Thus, Variables must be sorted by the order of first appearance and acyclic.
+	Variables []VariableApplyConfiguration `json:"variables,omitempty"`
 }

 // ValidatingAdmissionPolicySpecApplyConfiguration constructs a declarative configuration of the ValidatingAdmissionPolicySpec type for use with
--- a/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicystatus.go
+++ b/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicystatus.go
@@ -24,10 +24,16 @@ import (

 // ValidatingAdmissionPolicyStatusApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyStatus type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyStatus represents the status of a ValidatingAdmissionPolicy.
 type ValidatingAdmissionPolicyStatusApplyConfiguration struct {
-	ObservedGeneration *int64                           `json:"observedGeneration,omitempty"`
-	TypeChecking       *TypeCheckingApplyConfiguration  `json:"typeChecking,omitempty"`
-	Conditions         []v1.ConditionApplyConfiguration `json:"conditions,omitempty"`
+	// The generation observed by the controller.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// The results of type checking for each expression.
+	// Presence of this field indicates the completion of the type checking.
+	TypeChecking *TypeCheckingApplyConfiguration `json:"typeChecking,omitempty"`
+	// The conditions represent the latest available observations of a policy's current state.
+	Conditions []v1.ConditionApplyConfiguration `json:"conditions,omitempty"`
 }

 // ValidatingAdmissionPolicyStatusApplyConfiguration constructs a declarative configuration of the ValidatingAdmissionPolicyStatus type for use with
--- a/applyconfigurations/admissionregistration/v1alpha1/validation.go
+++ b/applyconfigurations/admissionregistration/v1alpha1/validation.go
@@ -24,11 +24,77 @@ import (

 // ValidationApplyConfiguration represents a declarative configuration of the Validation type for use
 // with apply.
+//
+// Validation specifies the CEL expression which is used to apply the validation.
 type ValidationApplyConfiguration struct {
-	Expression        *string          `json:"expression,omitempty"`
-	Message           *string          `json:"message,omitempty"`
-	Reason            *v1.StatusReason `json:"reason,omitempty"`
-	MessageExpression *string          `json:"messageExpression,omitempty"`
+	// Expression represents the expression which will be evaluated by CEL.
+	// ref: https://github.com/google/cel-spec
+	// CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:
+	//
+	// - 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// - 'oldObject' - The existing object. The value is null for CREATE requests.
+	// - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
+	// - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
+	// - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
+	// - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
+	// For example, a variable named 'foo' can be accessed as 'variables.foo'.
+	// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	//
+	// The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
+	// object. No other metadata properties are accessible.
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Accessible property names are escaped according to the following rules when accessed in the expression:
+	// - '__' escapes to '__underscores__'
+	// - '.' escapes to '__dot__'
+	// - '-' escapes to '__dash__'
+	// - '/' escapes to '__slash__'
+	// - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:
+	// "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if",
+	// "import", "let", "loop", "package", "namespace", "return".
+	// Examples:
+	// - Expression accessing a property named "namespace": {"Expression": "object.__namespace__ > 0"}
+	// - Expression accessing a property named "x-prop": {"Expression": "object.x__dash__prop > 0"}
+	// - Expression accessing a property named "redact__d": {"Expression": "object.redact__underscores__d > 0"}
+	//
+	// Equality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].
+	// Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
+	// - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and
+	// non-intersecting elements in `Y` are appended, retaining their partial order.
+	// - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values
+	// are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with
+	// non-intersecting keys are appended, retaining their partial order.
+	// Required.
+	Expression *string `json:"expression,omitempty"`
+	// Message represents the message displayed when validation fails. The message is required if the Expression contains
+	// line breaks. The message must not contain line breaks.
+	// If unset, the message is "failed rule: {Rule}".
+	// e.g. "must be a URL with the host matching spec.host"
+	// If the Expression contains line breaks. Message is required.
+	// The message must not contain line breaks.
+	// If unset, the message is "failed Expression: {Expression}".
+	Message *string `json:"message,omitempty"`
+	// Reason represents a machine-readable description of why this validation failed.
+	// If this is the first validation in the list to fail, this reason, as well as the
+	// corresponding HTTP response code, are used in the
+	// HTTP response to the client.
+	// The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+	// If not set, StatusReasonInvalid is used in the response to the client.
+	Reason *v1.StatusReason `json:"reason,omitempty"`
+	// messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+	// Since messageExpression is used as a failure message, it must evaluate to a string.
+	// If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+	// If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+	// as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+	// that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+	// the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+	// messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+	// Example:
+	// "object.x must be less than max ("+string(params.max)+")"
+	MessageExpression *string `json:"messageExpression,omitempty"`
 }

 // ValidationApplyConfiguration constructs a declarative configuration of the Validation type for use with
--- a/applyconfigurations/admissionregistration/v1alpha1/variable.go
+++ b/applyconfigurations/admissionregistration/v1alpha1/variable.go
@@ -20,8 +20,15 @@ package v1alpha1

 // VariableApplyConfiguration represents a declarative configuration of the Variable type for use
 // with apply.
+//
+// Variable is the definition of a variable that is used for composition.
 type VariableApplyConfiguration struct {
-	Name       *string `json:"name,omitempty"`
+	// Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+	// The variable can be accessed in other expressions through `variables`
+	// For example, if name is "foo", the variable will be available as `variables.foo`
+	Name *string `json:"name,omitempty"`
+	// Expression is the expression that will be evaluated as the value of the variable.
+	// The CEL expression has access to the same identifiers as the CEL expressions in Validation.
 	Expression *string `json:"expression,omitempty"`
 }

--- a/applyconfigurations/admissionregistration/v1beta1/applyconfiguration.go
+++ b/applyconfigurations/admissionregistration/v1beta1/applyconfiguration.go
@@ -20,7 +20,49 @@ package v1beta1

 // ApplyConfigurationApplyConfiguration represents a declarative configuration of the ApplyConfiguration type for use
 // with apply.
+//
+// ApplyConfiguration defines the desired configuration values of an object.
 type ApplyConfigurationApplyConfiguration struct {
+	// expression will be evaluated by CEL to create an apply configuration.
+	// ref: https://github.com/google/cel-spec
+	//
+	// Apply configurations are declared in CEL using object initialization. For example, this CEL expression
+	// returns an apply configuration to set a single field:
+	//
+	// Object{
+	// spec: Object.spec{
+	// serviceAccountName: "example"
+	// }
+	// }
+	//
+	// Apply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of
+	// values not included in the apply configuration.
+	//
+	// CEL expressions have access to the object types needed to create apply configurations:
+	//
+	// - 'Object' - CEL type of the resource object.
+	// - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')
+	// - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')
+	//
+	// CEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:
+	//
+	// - 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// - 'oldObject' - The existing object. The value is null for CREATE requests.
+	// - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
+	// - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
+	// - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
+	// - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
+	// For example, a variable named 'foo' can be accessed as 'variables.foo'.
+	// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	//
+	// The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
+	// object. No other metadata properties are accessible.
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Required.
 	Expression *string `json:"expression,omitempty"`
 }

--- a/applyconfigurations/admissionregistration/v1beta1/auditannotation.go
+++ b/applyconfigurations/admissionregistration/v1beta1/auditannotation.go
@@ -20,8 +20,40 @@ package v1beta1

 // AuditAnnotationApplyConfiguration represents a declarative configuration of the AuditAnnotation type for use
 // with apply.
+//
+// AuditAnnotation describes how to produce an audit annotation for an API request.
 type AuditAnnotationApplyConfiguration struct {
-	Key             *string `json:"key,omitempty"`
+	// key specifies the audit annotation key. The audit annotation keys of
+	// a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+	// name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+	//
+	// The key is combined with the resource name of the
+	// ValidatingAdmissionPolicy to construct an audit annotation key:
+	// "{ValidatingAdmissionPolicy name}/{key}".
+	//
+	// If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+	// and the same audit annotation key, the annotation key will be identical.
+	// In this case, the first annotation written with the key will be included
+	// in the audit event and all subsequent annotations with the same key
+	// will be discarded.
+	//
+	// Required.
+	Key *string `json:"key,omitempty"`
+	// valueExpression represents the expression which is evaluated by CEL to
+	// produce an audit annotation value. The expression must evaluate to either
+	// a string or null value. If the expression evaluates to a string, the
+	// audit annotation is included with the string value. If the expression
+	// evaluates to null or empty string the audit annotation will be omitted.
+	// The valueExpression may be no longer than 5kb in length.
+	// If the result of the valueExpression is more than 10kb in length, it
+	// will be truncated to 10kb.
+	//
+	// If multiple ValidatingAdmissionPolicyBinding resources match an
+	// API request, then the valueExpression will be evaluated for
+	// each binding. All unique values produced by the valueExpressions
+	// will be joined together in a comma-separated list.
+	//
+	// Required.
 	ValueExpression *string `json:"valueExpression,omitempty"`
 }

--- a/applyconfigurations/admissionregistration/v1beta1/expressionwarning.go
+++ b/applyconfigurations/admissionregistration/v1beta1/expressionwarning.go
@@ -20,9 +20,17 @@ package v1beta1

 // ExpressionWarningApplyConfiguration represents a declarative configuration of the ExpressionWarning type for use
 // with apply.
+//
+// ExpressionWarning is a warning information that targets a specific expression.
 type ExpressionWarningApplyConfiguration struct {
+	// The path to the field that refers the expression.
+	// For example, the reference to the expression of the first item of
+	// validations is "spec.validations[0].expression"
 	FieldRef *string `json:"fieldRef,omitempty"`
-	Warning  *string `json:"warning,omitempty"`
+	// The content of type checking information in a human-readable form.
+	// Each line of the warning contains the type that the expression is checked
+	// against, followed by the type check error from the compiler.
+	Warning *string `json:"warning,omitempty"`
 }

 // ExpressionWarningApplyConfiguration constructs a declarative configuration of the ExpressionWarning type for use with
--- a/applyconfigurations/admissionregistration/v1beta1/jsonpatch.go
+++ b/applyconfigurations/admissionregistration/v1beta1/jsonpatch.go
@@ -20,7 +20,73 @@ package v1beta1

 // JSONPatchApplyConfiguration represents a declarative configuration of the JSONPatch type for use
 // with apply.
+//
+// JSONPatch defines a JSON Patch.
 type JSONPatchApplyConfiguration struct {
+	// expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/).
+	// ref: https://github.com/google/cel-spec
+	//
+	// expression must return an array of JSONPatch values.
+	//
+	// For example, this CEL expression returns a JSON patch to conditionally modify a value:
+	//
+	// [
+	// JSONPatch{op: "test", path: "/spec/example", value: "Red"},
+	// JSONPatch{op: "replace", path: "/spec/example", value: "Green"}
+	// ]
+	//
+	// To define an object for the patch value, use Object types. For example:
+	//
+	// [
+	// JSONPatch{
+	// op: "add",
+	// path: "/spec/selector",
+	// value: Object.spec.selector{matchLabels: {"environment": "test"}}
+	// }
+	// ]
+	//
+	// To use strings containing '/' and '~' as JSONPatch path keys, use "jsonpatch.escapeKey". For example:
+	//
+	// [
+	// JSONPatch{
+	// op: "add",
+	// path: "/metadata/labels/" + jsonpatch.escapeKey("example.com/environment"),
+	// value: "test"
+	// },
+	// ]
+	//
+	// CEL expressions have access to the types needed to create JSON patches and objects:
+	//
+	// - 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.
+	// See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,
+	// integer, array, map or object.  If set, the 'path' and 'from' fields must be set to a
+	// [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL
+	// function may be used to escape path keys containing '/' and '~'.
+	// - 'Object' - CEL type of the resource object.
+	// - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')
+	// - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')
+	//
+	// CEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:
+	//
+	// - 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// - 'oldObject' - The existing object. The value is null for CREATE requests.
+	// - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
+	// - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
+	// - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
+	// - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
+	// For example, a variable named 'foo' can be accessed as 'variables.foo'.
+	// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	//
+	// CEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries)
+	// as well as:
+	//
+	// - 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and  '/' are escaped as '~0' and `~1' respectively).
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Required.
 	Expression *string `json:"expression,omitempty"`
 }

--- a/applyconfigurations/admissionregistration/v1beta1/matchcondition.go
+++ b/applyconfigurations/admissionregistration/v1beta1/matchcondition.go
@@ -20,8 +20,32 @@ package v1beta1

 // MatchConditionApplyConfiguration represents a declarative configuration of the MatchCondition type for use
 // with apply.
+//
+// MatchCondition represents a condition which must be fulfilled for a request to be sent to a webhook.
 type MatchConditionApplyConfiguration struct {
-	Name       *string `json:"name,omitempty"`
+	// Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+	// as well as providing an identifier for logging purposes. A good name should be descriptive of
+	// the associated expression.
+	// Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+	// must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+	// '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+	// optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+	//
+	// Required.
+	Name *string `json:"name,omitempty"`
+	// Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+	// CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+	//
+	// 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// 'oldObject' - The existing object. The value is null for CREATE requests.
+	// 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+	// 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+	//
+	// Required.
 	Expression *string `json:"expression,omitempty"`
 }

--- a/applyconfigurations/admissionregistration/v1beta1/matchresources.go
+++ b/applyconfigurations/admissionregistration/v1beta1/matchresources.go
@@ -25,12 +25,88 @@ import (

 // MatchResourcesApplyConfiguration represents a declarative configuration of the MatchResources type for use
 // with apply.
+//
+// MatchResources decides whether to run the admission control policy on an object based
+// on whether it meets the match criteria.
+// The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
 type MatchResourcesApplyConfiguration struct {
-	NamespaceSelector    *v1.LabelSelectorApplyConfiguration           `json:"namespaceSelector,omitempty"`
-	ObjectSelector       *v1.LabelSelectorApplyConfiguration           `json:"objectSelector,omitempty"`
-	ResourceRules        []NamedRuleWithOperationsApplyConfiguration   `json:"resourceRules,omitempty"`
-	ExcludeResourceRules []NamedRuleWithOperationsApplyConfiguration   `json:"excludeResourceRules,omitempty"`
-	MatchPolicy          *admissionregistrationv1beta1.MatchPolicyType `json:"matchPolicy,omitempty"`
+	// NamespaceSelector decides whether to run the admission control policy on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the policy.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "runlevel",
+	// "operator": "NotIn",
+	// "values": [
+	// "0",
+	// "1"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// If instead you want to only run the policy on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "environment",
+	// "operator": "In",
+	// "values": [
+	// "prod",
+	// "staging"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	NamespaceSelector *v1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
+	// ObjectSelector decides whether to run the validation based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the cel validation, and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	ObjectSelector *v1.LabelSelectorApplyConfiguration `json:"objectSelector,omitempty"`
+	// ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.
+	// The policy cares about an operation if it matches _any_ Rule.
+	ResourceRules []NamedRuleWithOperationsApplyConfiguration `json:"resourceRules,omitempty"`
+	// ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.
+	// The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
+	ExcludeResourceRules []NamedRuleWithOperationsApplyConfiguration `json:"excludeResourceRules,omitempty"`
+	// matchPolicy defines how the "MatchResources" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.
+	//
+	// Defaults to "Equivalent"
+	MatchPolicy *admissionregistrationv1beta1.MatchPolicyType `json:"matchPolicy,omitempty"`
 }

 // MatchResourcesApplyConfiguration constructs a declarative configuration of the MatchResources type for use with
--- a/applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicy.go
+++ b/applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicy.go
@@ -29,10 +29,14 @@ import (

 // MutatingAdmissionPolicyApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicy type for use
 // with apply.
+//
+// MutatingAdmissionPolicy describes the definition of an admission mutation policy that mutates the object coming into admission chain.
 type MutatingAdmissionPolicyApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *MutatingAdmissionPolicySpecApplyConfiguration `json:"spec,omitempty"`
+	// Specification of the desired behavior of the MutatingAdmissionPolicy.
+	Spec *MutatingAdmissionPolicySpecApplyConfiguration `json:"spec,omitempty"`
 }

 // MutatingAdmissionPolicy constructs a declarative configuration of the MutatingAdmissionPolicy type for use with
@@ -45,29 +49,14 @@ func MutatingAdmissionPolicy(name string) *MutatingAdmissionPolicyApplyConfigura
 	return b
 }

-// ExtractMutatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
-// mutatingAdmissionPolicy. If no managedFields are found in mutatingAdmissionPolicy for fieldManager, a
-// MutatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractMutatingAdmissionPolicyFrom extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicy for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // mutatingAdmissionPolicy must be a unmodified MutatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
-// ExtractMutatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractMutatingAdmissionPolicyFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractMutatingAdmissionPolicy(mutatingAdmissionPolicy *admissionregistrationv1beta1.MutatingAdmissionPolicy, fieldManager string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
-	return extractMutatingAdmissionPolicy(mutatingAdmissionPolicy, fieldManager, "")
-}
-
-// ExtractMutatingAdmissionPolicyStatus is the same as ExtractMutatingAdmissionPolicy except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractMutatingAdmissionPolicyStatus(mutatingAdmissionPolicy *admissionregistrationv1beta1.MutatingAdmissionPolicy, fieldManager string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
-	return extractMutatingAdmissionPolicy(mutatingAdmissionPolicy, fieldManager, "status")
-}
-
-func extractMutatingAdmissionPolicy(mutatingAdmissionPolicy *admissionregistrationv1beta1.MutatingAdmissionPolicy, fieldManager string, subresource string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
+func ExtractMutatingAdmissionPolicyFrom(mutatingAdmissionPolicy *admissionregistrationv1beta1.MutatingAdmissionPolicy, fieldManager string, subresource string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
 	b := &MutatingAdmissionPolicyApplyConfiguration{}
 	err := managedfields.ExtractInto(mutatingAdmissionPolicy, internal.Parser().Type("io.k8s.api.admissionregistration.v1beta1.MutatingAdmissionPolicy"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +68,21 @@ func extractMutatingAdmissionPolicy(mutatingAdmissionPolicy *admissionregistrati
 	b.WithAPIVersion("admissionregistration.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractMutatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicy. If no managedFields are found in mutatingAdmissionPolicy for fieldManager, a
+// MutatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// mutatingAdmissionPolicy must be a unmodified MutatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
+// ExtractMutatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractMutatingAdmissionPolicy(mutatingAdmissionPolicy *admissionregistrationv1beta1.MutatingAdmissionPolicy, fieldManager string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
+	return ExtractMutatingAdmissionPolicyFrom(mutatingAdmissionPolicy, fieldManager, "")
+}
+
 func (b MutatingAdmissionPolicyApplyConfiguration) IsApplyConfiguration() {}

 // WithKind sets the Kind field in the declarative configuration to the given value
--- a/applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicybinding.go
+++ b/applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicybinding.go
@@ -29,10 +29,24 @@ import (

 // MutatingAdmissionPolicyBindingApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicyBinding type for use
 // with apply.
+//
+// MutatingAdmissionPolicyBinding binds the MutatingAdmissionPolicy with parametrized resources.
+// MutatingAdmissionPolicyBinding and the optional parameter resource together define how cluster administrators
+// configure policies for clusters.
+//
+// For a given admission request, each binding will cause its policy to be
+// evaluated N times, where N is 1 for policies/bindings that don't use
+// params, otherwise N is the number of parameters selected by the binding.
+// Each evaluation is constrained by a [runtime cost budget](https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget).
+//
+// Adding/removing policies, bindings, or params can not affect whether a
+// given (policy, binding, param) combination is within its own CEL budget.
 type MutatingAdmissionPolicyBindingApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *MutatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
+	// Specification of the desired behavior of the MutatingAdmissionPolicyBinding.
+	Spec *MutatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
 }

 // MutatingAdmissionPolicyBinding constructs a declarative configuration of the MutatingAdmissionPolicyBinding type for use with
@@ -45,29 +59,14 @@ func MutatingAdmissionPolicyBinding(name string) *MutatingAdmissionPolicyBinding
 	return b
 }

-// ExtractMutatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
-// mutatingAdmissionPolicyBinding. If no managedFields are found in mutatingAdmissionPolicyBinding for fieldManager, a
-// MutatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractMutatingAdmissionPolicyBindingFrom extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicyBinding for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // mutatingAdmissionPolicyBinding must be a unmodified MutatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
-// ExtractMutatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractMutatingAdmissionPolicyBindingFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding *admissionregistrationv1beta1.MutatingAdmissionPolicyBinding, fieldManager string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding, fieldManager, "")
-}
-
-// ExtractMutatingAdmissionPolicyBindingStatus is the same as ExtractMutatingAdmissionPolicyBinding except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractMutatingAdmissionPolicyBindingStatus(mutatingAdmissionPolicyBinding *admissionregistrationv1beta1.MutatingAdmissionPolicyBinding, fieldManager string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding, fieldManager, "status")
-}
-
-func extractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding *admissionregistrationv1beta1.MutatingAdmissionPolicyBinding, fieldManager string, subresource string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
+func ExtractMutatingAdmissionPolicyBindingFrom(mutatingAdmissionPolicyBinding *admissionregistrationv1beta1.MutatingAdmissionPolicyBinding, fieldManager string, subresource string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
 	b := &MutatingAdmissionPolicyBindingApplyConfiguration{}
 	err := managedfields.ExtractInto(mutatingAdmissionPolicyBinding, internal.Parser().Type("io.k8s.api.admissionregistration.v1beta1.MutatingAdmissionPolicyBinding"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +78,21 @@ func extractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding *admis
 	b.WithAPIVersion("admissionregistration.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractMutatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicyBinding. If no managedFields are found in mutatingAdmissionPolicyBinding for fieldManager, a
+// MutatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// mutatingAdmissionPolicyBinding must be a unmodified MutatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
+// ExtractMutatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding *admissionregistrationv1beta1.MutatingAdmissionPolicyBinding, fieldManager string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
+	return ExtractMutatingAdmissionPolicyBindingFrom(mutatingAdmissionPolicyBinding, fieldManager, "")
+}
+
 func (b MutatingAdmissionPolicyBindingApplyConfiguration) IsApplyConfiguration() {}

 // WithKind sets the Kind field in the declarative configuration to the given value
--- a/applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicybindingspec.go
+++ b/applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicybindingspec.go
@@ -20,9 +20,27 @@ package v1beta1

 // MutatingAdmissionPolicyBindingSpecApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicyBindingSpec type for use
 // with apply.
+//
+// MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding.
 type MutatingAdmissionPolicyBindingSpecApplyConfiguration struct {
-	PolicyName     *string                           `json:"policyName,omitempty"`
-	ParamRef       *ParamRefApplyConfiguration       `json:"paramRef,omitempty"`
+	// policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to.
+	// If the referenced resource does not exist, this binding is considered invalid and will be ignored
+	// Required.
+	PolicyName *string `json:"policyName,omitempty"`
+	// paramRef specifies the parameter resource used to configure the admission control policy.
+	// It should point to a resource of the type specified in spec.ParamKind of the bound MutatingAdmissionPolicy.
+	// If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the MutatingAdmissionPolicy applied.
+	// If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.
+	ParamRef *ParamRefApplyConfiguration `json:"paramRef,omitempty"`
+	// matchResources limits what resources match this binding and may be mutated by it.
+	// Note that if matchResources matches a resource, the resource must also match a policy's matchConstraints and
+	// matchConditions before the resource may be mutated.
+	// When matchResources is unset, it does not constrain resource matching, and only the policy's matchConstraints
+	// and matchConditions must match for the resource to be mutated.
+	// Additionally, matchResources.resourceRules are optional and do not constraint matching when unset.
+	// Note that this is differs from MutatingAdmissionPolicy matchConstraints, where resourceRules are required.
+	// The CREATE, UPDATE and CONNECT operations are allowed.  The DELETE operation may not be matched.
+	// '*' matches CREATE, UPDATE and CONNECT.
 	MatchResources *MatchResourcesApplyConfiguration `json:"matchResources,omitempty"`
 }

--- a/applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicyspec.go
+++ b/applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicyspec.go
@@ -25,14 +25,74 @@ import (

 // MutatingAdmissionPolicySpecApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicySpec type for use
 // with apply.
+//
+// MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy.
 type MutatingAdmissionPolicySpecApplyConfiguration struct {
-	ParamKind          *ParamKindApplyConfiguration                    `json:"paramKind,omitempty"`
-	MatchConstraints   *MatchResourcesApplyConfiguration               `json:"matchConstraints,omitempty"`
-	Variables          []VariableApplyConfiguration                    `json:"variables,omitempty"`
-	Mutations          []MutationApplyConfiguration                    `json:"mutations,omitempty"`
-	FailurePolicy      *admissionregistrationv1beta1.FailurePolicyType `json:"failurePolicy,omitempty"`
-	MatchConditions    []MatchConditionApplyConfiguration              `json:"matchConditions,omitempty"`
-	ReinvocationPolicy *v1.ReinvocationPolicyType                      `json:"reinvocationPolicy,omitempty"`
+	// paramKind specifies the kind of resources used to parameterize this policy.
+	// If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
+	// If paramKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
+	// If paramKind is specified but paramRef is unset in MutatingAdmissionPolicyBinding, the params variable will be null.
+	ParamKind *ParamKindApplyConfiguration `json:"paramKind,omitempty"`
+	// matchConstraints specifies what resources this policy is designed to validate.
+	// The MutatingAdmissionPolicy cares about a request if it matches _all_ Constraints.
+	// However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
+	// MutatingAdmissionPolicy cannot match MutatingAdmissionPolicy and MutatingAdmissionPolicyBinding.
+	// The CREATE, UPDATE and CONNECT operations are allowed.  The DELETE operation may not be matched.
+	// '*' matches CREATE, UPDATE and CONNECT.
+	// Required.
+	MatchConstraints *MatchResourcesApplyConfiguration `json:"matchConstraints,omitempty"`
+	// variables contain definitions of variables that can be used in composition of other expressions.
+	// Each variable is defined as a named CEL expression.
+	// The variables defined here will be available under `variables` in other expressions of the policy
+	// except matchConditions because matchConditions are evaluated before the rest of the policy.
+	//
+	// The expression of a variable can refer to other variables defined earlier in the list but not those after.
+	// Thus, variables must be sorted by the order of first appearance and acyclic.
+	Variables []VariableApplyConfiguration `json:"variables,omitempty"`
+	// mutations contain operations to perform on matching objects.
+	// mutations may not be empty; a minimum of one mutation is required.
+	// mutations are evaluated in order, and are reinvoked according to
+	// the reinvocationPolicy.
+	// The mutations of a policy are invoked for each binding of this policy
+	// and reinvocation of mutations occurs on a per binding basis.
+	Mutations []MutationApplyConfiguration `json:"mutations,omitempty"`
+	// failurePolicy defines how to handle failures for the admission policy. Failures can
+	// occur from CEL expression parse errors, type check errors, runtime errors and invalid
+	// or mis-configured policy definitions or bindings.
+	//
+	// A policy is invalid if paramKind refers to a non-existent Kind.
+	// A binding is invalid if paramRef.name refers to a non-existent resource.
+	//
+	// failurePolicy does not define how validations that evaluate to false are handled.
+	//
+	// Allowed values are Ignore or Fail. Defaults to Fail.
+	FailurePolicy *admissionregistrationv1beta1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// matchConditions is a list of conditions that must be met for a request to be validated.
+	// Match conditions filter requests that have already been matched by the matchConstraints.
+	// An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// If a parameter object is provided, it can be accessed via the `params` handle in the same
+	// manner as validation expressions.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the policy is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
+	// reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding
+	// as part of a single admission evaluation.
+	// Allowed values are "Never" and "IfNeeded".
+	//
+	// Never: These mutations will not be called more than once per binding in a single admission evaluation.
+	//
+	// IfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of
+	// order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies.  Mutations are only
+	// reinvoked when mutations change the object after this mutation is invoked.
+	// Required.
+	ReinvocationPolicy *v1.ReinvocationPolicyType `json:"reinvocationPolicy,omitempty"`
 }

 // MutatingAdmissionPolicySpecApplyConfiguration constructs a declarative configuration of the MutatingAdmissionPolicySpec type for use with
--- a/applyconfigurations/admissionregistration/v1beta1/mutatingwebhook.go
+++ b/applyconfigurations/admissionregistration/v1beta1/mutatingwebhook.go
@@ -27,19 +27,149 @@ import (

 // MutatingWebhookApplyConfiguration represents a declarative configuration of the MutatingWebhook type for use
 // with apply.
+//
+// MutatingWebhook describes an admission webhook and the resources and operations it applies to.
 type MutatingWebhookApplyConfiguration struct {
-	Name                    *string                                         `json:"name,omitempty"`
-	ClientConfig            *WebhookClientConfigApplyConfiguration          `json:"clientConfig,omitempty"`
-	Rules                   []v1.RuleWithOperationsApplyConfiguration       `json:"rules,omitempty"`
-	FailurePolicy           *admissionregistrationv1beta1.FailurePolicyType `json:"failurePolicy,omitempty"`
-	MatchPolicy             *admissionregistrationv1beta1.MatchPolicyType   `json:"matchPolicy,omitempty"`
-	NamespaceSelector       *metav1.LabelSelectorApplyConfiguration         `json:"namespaceSelector,omitempty"`
-	ObjectSelector          *metav1.LabelSelectorApplyConfiguration         `json:"objectSelector,omitempty"`
-	SideEffects             *admissionregistrationv1beta1.SideEffectClass   `json:"sideEffects,omitempty"`
-	TimeoutSeconds          *int32                                          `json:"timeoutSeconds,omitempty"`
-	AdmissionReviewVersions []string                                        `json:"admissionReviewVersions,omitempty"`
-	ReinvocationPolicy      *admissionregistrationv1.ReinvocationPolicyType `json:"reinvocationPolicy,omitempty"`
-	MatchConditions         []MatchConditionApplyConfiguration              `json:"matchConditions,omitempty"`
+	// The name of the admission webhook.
+	// Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
+	// "imagepolicy" is the name of the webhook, and kubernetes.io is the name
+	// of the organization.
+	// Required.
+	Name *string `json:"name,omitempty"`
+	// ClientConfig defines how to communicate with the hook.
+	// Required
+	ClientConfig *WebhookClientConfigApplyConfiguration `json:"clientConfig,omitempty"`
+	// Rules describes what operations on what resources/subresources the webhook cares about.
+	// The webhook cares about an operation if it matches _any_ Rule.
+	// However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
+	// from putting the cluster in a state which cannot be recovered from without completely
+	// disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
+	// on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
+	Rules []v1.RuleWithOperationsApplyConfiguration `json:"rules,omitempty"`
+	// FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
+	// allowed values are Ignore or Fail. Defaults to Ignore.
+	FailurePolicy *admissionregistrationv1beta1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// matchPolicy defines how the "rules" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
+	//
+	// Defaults to "Exact"
+	MatchPolicy *admissionregistrationv1beta1.MatchPolicyType `json:"matchPolicy,omitempty"`
+	// NamespaceSelector decides whether to run the webhook on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the webhook.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "runlevel",
+	// "operator": "NotIn",
+	// "values": [
+	// "0",
+	// "1"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// If instead you want to only run the webhook on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "environment",
+	// "operator": "In",
+	// "values": [
+	// "prod",
+	// "staging"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	NamespaceSelector *metav1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
+	// ObjectSelector decides whether to run the webhook based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the webhook, and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	ObjectSelector *metav1.LabelSelectorApplyConfiguration `json:"objectSelector,omitempty"`
+	// SideEffects states whether this webhook has side effects.
+	// Acceptable values are: Unknown, None, Some, NoneOnDryRun
+	// Webhooks with side effects MUST implement a reconciliation system, since a request may be
+	// rejected by a future step in the admission chain and the side effects therefore need to be undone.
+	// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
+	// sideEffects == Unknown or Some. Defaults to Unknown.
+	SideEffects *admissionregistrationv1beta1.SideEffectClass `json:"sideEffects,omitempty"`
+	// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
+	// the webhook call will be ignored or the API call will fail based on the
+	// failure policy.
+	// The timeout value must be between 1 and 30 seconds.
+	// Default to 30 seconds.
+	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
+	// AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
+	// versions the Webhook expects. API server will try to use first version in
+	// the list which it supports. If none of the versions specified in this list
+	// supported by API server, validation will fail for this object.
+	// If a persisted webhook configuration specifies allowed versions and does not
+	// include any versions known to the API Server, calls to the webhook will fail
+	// and be subject to the failure policy.
+	// Default to `['v1beta1']`.
+	AdmissionReviewVersions []string `json:"admissionReviewVersions,omitempty"`
+	// reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation.
+	// Allowed values are "Never" and "IfNeeded".
+	//
+	// Never: the webhook will not be called more than once in a single admission evaluation.
+	//
+	// IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation
+	// if the object being admitted is modified by other admission plugins after the initial webhook call.
+	// Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted.
+	// Note:
+	// * the number of additional invocations is not guaranteed to be exactly one.
+	// * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again.
+	// * webhooks that use this option may be reordered to minimize the number of additional invocations.
+	// * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
+	//
+	// Defaults to "Never".
+	ReinvocationPolicy *admissionregistrationv1.ReinvocationPolicyType `json:"reinvocationPolicy,omitempty"`
+	// MatchConditions is a list of conditions that must be met for a request to be sent to this
+	// webhook. Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the webhook is called.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
 }

 // MutatingWebhookApplyConfiguration constructs a declarative configuration of the MutatingWebhook type for use with
--- a/applyconfigurations/admissionregistration/v1beta1/mutatingwebhookconfiguration.go
+++ b/applyconfigurations/admissionregistration/v1beta1/mutatingwebhookconfiguration.go
@@ -29,10 +29,15 @@ import (

 // MutatingWebhookConfigurationApplyConfiguration represents a declarative configuration of the MutatingWebhookConfiguration type for use
 // with apply.
+//
+// MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object.
+// Deprecated in v1.16, planned for removal in v1.19. Use admissionregistration.k8s.io/v1 MutatingWebhookConfiguration instead.
 type MutatingWebhookConfigurationApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Webhooks                         []MutatingWebhookApplyConfiguration `json:"webhooks,omitempty"`
+	// Webhooks is a list of webhooks and the affected resources and operations.
+	Webhooks []MutatingWebhookApplyConfiguration `json:"webhooks,omitempty"`
 }

 // MutatingWebhookConfiguration constructs a declarative configuration of the MutatingWebhookConfiguration type for use with
@@ -45,29 +50,14 @@ func MutatingWebhookConfiguration(name string) *MutatingWebhookConfigurationAppl
 	return b
 }

-// ExtractMutatingWebhookConfiguration extracts the applied configuration owned by fieldManager from
-// mutatingWebhookConfiguration. If no managedFields are found in mutatingWebhookConfiguration for fieldManager, a
-// MutatingWebhookConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractMutatingWebhookConfigurationFrom extracts the applied configuration owned by fieldManager from
+// mutatingWebhookConfiguration for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // mutatingWebhookConfiguration must be a unmodified MutatingWebhookConfiguration API object that was retrieved from the Kubernetes API.
-// ExtractMutatingWebhookConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractMutatingWebhookConfigurationFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractMutatingWebhookConfiguration(mutatingWebhookConfiguration *admissionregistrationv1beta1.MutatingWebhookConfiguration, fieldManager string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
-	return extractMutatingWebhookConfiguration(mutatingWebhookConfiguration, fieldManager, "")
-}
-
-// ExtractMutatingWebhookConfigurationStatus is the same as ExtractMutatingWebhookConfiguration except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractMutatingWebhookConfigurationStatus(mutatingWebhookConfiguration *admissionregistrationv1beta1.MutatingWebhookConfiguration, fieldManager string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
-	return extractMutatingWebhookConfiguration(mutatingWebhookConfiguration, fieldManager, "status")
-}
-
-func extractMutatingWebhookConfiguration(mutatingWebhookConfiguration *admissionregistrationv1beta1.MutatingWebhookConfiguration, fieldManager string, subresource string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
+func ExtractMutatingWebhookConfigurationFrom(mutatingWebhookConfiguration *admissionregistrationv1beta1.MutatingWebhookConfiguration, fieldManager string, subresource string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
 	b := &MutatingWebhookConfigurationApplyConfiguration{}
 	err := managedfields.ExtractInto(mutatingWebhookConfiguration, internal.Parser().Type("io.k8s.api.admissionregistration.v1beta1.MutatingWebhookConfiguration"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +69,21 @@ func extractMutatingWebhookConfiguration(mutatingWebhookConfiguration *admission
 	b.WithAPIVersion("admissionregistration.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractMutatingWebhookConfiguration extracts the applied configuration owned by fieldManager from
+// mutatingWebhookConfiguration. If no managedFields are found in mutatingWebhookConfiguration for fieldManager, a
+// MutatingWebhookConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// mutatingWebhookConfiguration must be a unmodified MutatingWebhookConfiguration API object that was retrieved from the Kubernetes API.
+// ExtractMutatingWebhookConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractMutatingWebhookConfiguration(mutatingWebhookConfiguration *admissionregistrationv1beta1.MutatingWebhookConfiguration, fieldManager string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
+	return ExtractMutatingWebhookConfigurationFrom(mutatingWebhookConfiguration, fieldManager, "")
+}
+
 func (b MutatingWebhookConfigurationApplyConfiguration) IsApplyConfiguration() {}

 // WithKind sets the Kind field in the declarative configuration to the given value
--- a/applyconfigurations/admissionregistration/v1beta1/mutation.go
+++ b/applyconfigurations/admissionregistration/v1beta1/mutation.go
@@ -24,10 +24,21 @@ import (

 // MutationApplyConfiguration represents a declarative configuration of the Mutation type for use
 // with apply.
+//
+// Mutation specifies the CEL expression which is used to apply the Mutation.
 type MutationApplyConfiguration struct {
-	PatchType          *admissionregistrationv1beta1.PatchType `json:"patchType,omitempty"`
-	ApplyConfiguration *ApplyConfigurationApplyConfiguration   `json:"applyConfiguration,omitempty"`
-	JSONPatch          *JSONPatchApplyConfiguration            `json:"jsonPatch,omitempty"`
+	// patchType indicates the patch strategy used.
+	// Allowed values are "ApplyConfiguration" and "JSONPatch".
+	// Required.
+	PatchType *admissionregistrationv1beta1.PatchType `json:"patchType,omitempty"`
+	// applyConfiguration defines the desired configuration values of an object.
+	// The configuration is applied to the admission object using
+	// [structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff).
+	// A CEL expression is used to create apply configuration.
+	ApplyConfiguration *ApplyConfigurationApplyConfiguration `json:"applyConfiguration,omitempty"`
+	// jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object.
+	// A CEL expression is used to create the JSON patch.
+	JSONPatch *JSONPatchApplyConfiguration `json:"jsonPatch,omitempty"`
 }

 // MutationApplyConfiguration constructs a declarative configuration of the Mutation type for use with
--- a/applyconfigurations/admissionregistration/v1beta1/namedrulewithoperations.go
+++ b/applyconfigurations/admissionregistration/v1beta1/namedrulewithoperations.go
@@ -25,8 +25,12 @@ import (

 // NamedRuleWithOperationsApplyConfiguration represents a declarative configuration of the NamedRuleWithOperations type for use
 // with apply.
+//
+// NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.
 type NamedRuleWithOperationsApplyConfiguration struct {
-	ResourceNames                           []string `json:"resourceNames,omitempty"`
+	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+	ResourceNames []string `json:"resourceNames,omitempty"`
+	// RuleWithOperations is a tuple of Operations and Resources.
 	v1.RuleWithOperationsApplyConfiguration `json:",inline"`
 }

--- a/applyconfigurations/admissionregistration/v1beta1/paramkind.go
+++ b/applyconfigurations/admissionregistration/v1beta1/paramkind.go
@@ -20,9 +20,16 @@ package v1beta1

 // ParamKindApplyConfiguration represents a declarative configuration of the ParamKind type for use
 // with apply.
+//
+// ParamKind is a tuple of Group Kind and Version.
 type ParamKindApplyConfiguration struct {
+	// APIVersion is the API group version the resources belong to.
+	// In format of "group/version".
+	// Required.
 	APIVersion *string `json:"apiVersion,omitempty"`
-	Kind       *string `json:"kind,omitempty"`
+	// Kind is the API kind the resources belong to.
+	// Required.
+	Kind *string `json:"kind,omitempty"`
 }

 // ParamKindApplyConfiguration constructs a declarative configuration of the ParamKind type for use with
--- a/applyconfigurations/admissionregistration/v1beta1/paramref.go
+++ b/applyconfigurations/admissionregistration/v1beta1/paramref.go
@@ -25,10 +25,53 @@ import (

 // ParamRefApplyConfiguration represents a declarative configuration of the ParamRef type for use
 // with apply.
+//
+// ParamRef describes how to locate the params to be used as input to
+// expressions of rules applied by a policy binding.
 type ParamRefApplyConfiguration struct {
-	Name                    *string                                                   `json:"name,omitempty"`
-	Namespace               *string                                                   `json:"namespace,omitempty"`
-	Selector                *v1.LabelSelectorApplyConfiguration                       `json:"selector,omitempty"`
+	// name is the name of the resource being referenced.
+	//
+	// One of `name` or `selector` must be set, but `name` and `selector` are
+	// mutually exclusive properties. If one is set, the other must be unset.
+	//
+	// A single parameter used for all admission requests can be configured
+	// by setting the `name` field, leaving `selector` blank, and setting namespace
+	// if `paramKind` is namespace-scoped.
+	Name *string `json:"name,omitempty"`
+	// namespace is the namespace of the referenced resource. Allows limiting
+	// the search for params to a specific namespace. Applies to both `name` and
+	// `selector` fields.
+	//
+	// A per-namespace parameter may be used by specifying a namespace-scoped
+	// `paramKind` in the policy and leaving this field empty.
+	//
+	// - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+	// field results in a configuration error.
+	//
+	// - If `paramKind` is namespace-scoped, the namespace of the object being
+	// evaluated for admission will be used when this field is left unset. Take
+	// care that if this is left empty the binding must not match any cluster-scoped
+	// resources, which will result in an error.
+	Namespace *string `json:"namespace,omitempty"`
+	// selector can be used to match multiple param objects based on their labels.
+	// Supply selector: {} to match all resources of the ParamKind.
+	//
+	// If multiple params are found, they are all evaluated with the policy expressions
+	// and the results are ANDed together.
+	//
+	// One of `name` or `selector` must be set, but `name` and `selector` are
+	// mutually exclusive properties. If one is set, the other must be unset.
+	Selector *v1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// `parameterNotFoundAction` controls the behavior of the binding when the resource
+	// exists, and name or selector is valid, but there are no parameters
+	// matched by the binding. If the value is set to `Allow`, then no
+	// matched parameters will be treated as successful validation by the binding.
+	// If set to `Deny`, then no matched parameters will be subject to the
+	// `failurePolicy` of the policy.
+	//
+	// Allowed values are `Allow` or `Deny`
+	//
+	// Required
 	ParameterNotFoundAction *admissionregistrationv1beta1.ParameterNotFoundActionType `json:"parameterNotFoundAction,omitempty"`
 }

--- a/applyconfigurations/admissionregistration/v1beta1/servicereference.go
+++ b/applyconfigurations/admissionregistration/v1beta1/servicereference.go
@@ -20,11 +20,22 @@ package v1beta1

 // ServiceReferenceApplyConfiguration represents a declarative configuration of the ServiceReference type for use
 // with apply.
+//
+// ServiceReference holds a reference to Service.legacy.k8s.io
 type ServiceReferenceApplyConfiguration struct {
+	// `namespace` is the namespace of the service.
+	// Required
 	Namespace *string `json:"namespace,omitempty"`
-	Name      *string `json:"name,omitempty"`
-	Path      *string `json:"path,omitempty"`
-	Port      *int32  `json:"port,omitempty"`
+	// `name` is the name of the service.
+	// Required
+	Name *string `json:"name,omitempty"`
+	// `path` is an optional URL path which will be sent in any request to
+	// this service.
+	Path *string `json:"path,omitempty"`
+	// If specified, the port on the service that hosting webhook.
+	// Default to 443 for backward compatibility.
+	// `port` should be a valid port number (1-65535, inclusive).
+	Port *int32 `json:"port,omitempty"`
 }

 // ServiceReferenceApplyConfiguration constructs a declarative configuration of the ServiceReference type for use with
--- a/applyconfigurations/admissionregistration/v1beta1/typechecking.go
+++ b/applyconfigurations/admissionregistration/v1beta1/typechecking.go
@@ -20,7 +20,11 @@ package v1beta1

 // TypeCheckingApplyConfiguration represents a declarative configuration of the TypeChecking type for use
 // with apply.
+//
+// TypeChecking contains results of type checking the expressions in the
+// ValidatingAdmissionPolicy
 type TypeCheckingApplyConfiguration struct {
+	// The type checking warnings for each expression.
 	ExpressionWarnings []ExpressionWarningApplyConfiguration `json:"expressionWarnings,omitempty"`
 }

--- a/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicy.go
+++ b/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicy.go
@@ -29,11 +29,19 @@ import (

 // ValidatingAdmissionPolicyApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicy type for use
 // with apply.
+//
+// ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.
 type ValidatingAdmissionPolicyApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ValidatingAdmissionPolicySpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *ValidatingAdmissionPolicyStatusApplyConfiguration `json:"status,omitempty"`
+	// Specification of the desired behavior of the ValidatingAdmissionPolicy.
+	Spec *ValidatingAdmissionPolicySpecApplyConfiguration `json:"spec,omitempty"`
+	// The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy
+	// behaves in the expected way.
+	// Populated by the system.
+	// Read-only.
+	Status *ValidatingAdmissionPolicyStatusApplyConfiguration `json:"status,omitempty"`
 }

 // ValidatingAdmissionPolicy constructs a declarative configuration of the ValidatingAdmissionPolicy type for use with
@@ -46,29 +54,14 @@ func ValidatingAdmissionPolicy(name string) *ValidatingAdmissionPolicyApplyConfi
 	return b
 }

-// ExtractValidatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
-// validatingAdmissionPolicy. If no managedFields are found in validatingAdmissionPolicy for fieldManager, a
-// ValidatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractValidatingAdmissionPolicyFrom extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicy for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // validatingAdmissionPolicy must be a unmodified ValidatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
-// ExtractValidatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractValidatingAdmissionPolicyFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregistrationv1beta1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicy(validatingAdmissionPolicy, fieldManager, "")
-}
-
-// ExtractValidatingAdmissionPolicyStatus is the same as ExtractValidatingAdmissionPolicy except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractValidatingAdmissionPolicyStatus(validatingAdmissionPolicy *admissionregistrationv1beta1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicy(validatingAdmissionPolicy, fieldManager, "status")
-}
-
-func extractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregistrationv1beta1.ValidatingAdmissionPolicy, fieldManager string, subresource string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
+func ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy *admissionregistrationv1beta1.ValidatingAdmissionPolicy, fieldManager string, subresource string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
 	b := &ValidatingAdmissionPolicyApplyConfiguration{}
 	err := managedfields.ExtractInto(validatingAdmissionPolicy, internal.Parser().Type("io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicy"), fieldManager, b, subresource)
 	if err != nil {
@@ -80,6 +73,27 @@ func extractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregist
 	b.WithAPIVersion("admissionregistration.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractValidatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicy. If no managedFields are found in validatingAdmissionPolicy for fieldManager, a
+// ValidatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// validatingAdmissionPolicy must be a unmodified ValidatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
+// ExtractValidatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregistrationv1beta1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
+	return ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy, fieldManager, "")
+}
+
+// ExtractValidatingAdmissionPolicyStatus extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicy for the status subresource.
+func ExtractValidatingAdmissionPolicyStatus(validatingAdmissionPolicy *admissionregistrationv1beta1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
+	return ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy, fieldManager, "status")
+}
+
 func (b ValidatingAdmissionPolicyApplyConfiguration) IsApplyConfiguration() {}

 // WithKind sets the Kind field in the declarative configuration to the given value
--- a/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicybinding.go
+++ b/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicybinding.go
@@ -29,10 +29,24 @@ import (

 // ValidatingAdmissionPolicyBindingApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyBinding type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources.
+// ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.
+//
+// For a given admission request, each binding will cause its policy to be
+// evaluated N times, where N is 1 for policies/bindings that don't use
+// params, otherwise N is the number of parameters selected by the binding.
+//
+// The CEL expressions of a policy must have a computed CEL cost below the maximum
+// CEL budget. Each evaluation of the policy is given an independent CEL cost budget.
+// Adding/removing policies, bindings, or params can not affect whether a
+// given (policy, binding, param) combination is within its own CEL budget.
 type ValidatingAdmissionPolicyBindingApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ValidatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
+	// Specification of the desired behavior of the ValidatingAdmissionPolicyBinding.
+	Spec *ValidatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
 }

 // ValidatingAdmissionPolicyBinding constructs a declarative configuration of the ValidatingAdmissionPolicyBinding type for use with
@@ -45,29 +59,14 @@ func ValidatingAdmissionPolicyBinding(name string) *ValidatingAdmissionPolicyBin
 	return b
 }

-// ExtractValidatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
-// validatingAdmissionPolicyBinding. If no managedFields are found in validatingAdmissionPolicyBinding for fieldManager, a
-// ValidatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractValidatingAdmissionPolicyBindingFrom extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicyBinding for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // validatingAdmissionPolicyBinding must be a unmodified ValidatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
-// ExtractValidatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractValidatingAdmissionPolicyBindingFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding, fieldManager, "")
-}
-
-// ExtractValidatingAdmissionPolicyBindingStatus is the same as ExtractValidatingAdmissionPolicyBinding except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractValidatingAdmissionPolicyBindingStatus(validatingAdmissionPolicyBinding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding, fieldManager, "status")
-}
-
-func extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, fieldManager string, subresource string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
+func ExtractValidatingAdmissionPolicyBindingFrom(validatingAdmissionPolicyBinding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, fieldManager string, subresource string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
 	b := &ValidatingAdmissionPolicyBindingApplyConfiguration{}
 	err := managedfields.ExtractInto(validatingAdmissionPolicyBinding, internal.Parser().Type("io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBinding"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +78,21 @@ func extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *a
 	b.WithAPIVersion("admissionregistration.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractValidatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicyBinding. If no managedFields are found in validatingAdmissionPolicyBinding for fieldManager, a
+// ValidatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// validatingAdmissionPolicyBinding must be a unmodified ValidatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
+// ExtractValidatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
+	return ExtractValidatingAdmissionPolicyBindingFrom(validatingAdmissionPolicyBinding, fieldManager, "")
+}
+
 func (b ValidatingAdmissionPolicyBindingApplyConfiguration) IsApplyConfiguration() {}

 // WithKind sets the Kind field in the declarative configuration to the given value
--- a/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicybindingspec.go
+++ b/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicybindingspec.go
@@ -24,10 +24,63 @@ import (

 // ValidatingAdmissionPolicyBindingSpecApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyBindingSpec type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.
 type ValidatingAdmissionPolicyBindingSpecApplyConfiguration struct {
-	PolicyName        *string                                         `json:"policyName,omitempty"`
-	ParamRef          *ParamRefApplyConfiguration                     `json:"paramRef,omitempty"`
-	MatchResources    *MatchResourcesApplyConfiguration               `json:"matchResources,omitempty"`
+	// PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to.
+	// If the referenced resource does not exist, this binding is considered invalid and will be ignored
+	// Required.
+	PolicyName *string `json:"policyName,omitempty"`
+	// paramRef specifies the parameter resource used to configure the admission control policy.
+	// It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy.
+	// If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied.
+	// If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.
+	ParamRef *ParamRefApplyConfiguration `json:"paramRef,omitempty"`
+	// MatchResources declares what resources match this binding and will be validated by it.
+	// Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this.
+	// If this is unset, all resources matched by the policy are validated by this binding
+	// When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated.
+	// Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required.
+	MatchResources *MatchResourcesApplyConfiguration `json:"matchResources,omitempty"`
+	// validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced.
+	// If a validation evaluates to false it is always enforced according to these actions.
+	//
+	// Failures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according
+	// to these actions only if the FailurePolicy is set to Fail, otherwise the failures are
+	// ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.
+	//
+	// validationActions is declared as a set of action values. Order does
+	// not matter. validationActions may not contain duplicates of the same action.
+	//
+	// The supported actions values are:
+	//
+	// "Deny" specifies that a validation failure results in a denied request.
+	//
+	// "Warn" specifies that a validation failure is reported to the request client
+	// in HTTP Warning headers, with a warning code of 299. Warnings can be sent
+	// both for allowed or denied admission responses.
+	//
+	// "Audit" specifies that a validation failure is included in the published
+	// audit event for the request. The audit event will contain a
+	// `validation.policy.admission.k8s.io/validation_failure` audit annotation
+	// with a value containing the details of the validation failures, formatted as
+	// a JSON list of objects, each with the following fields:
+	// - message: The validation failure message string
+	// - policy: The resource name of the ValidatingAdmissionPolicy
+	// - binding: The resource name of the ValidatingAdmissionPolicyBinding
+	// - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy
+	// - validationActions: The enforcement actions enacted for the validation failure
+	// Example audit annotation:
+	// `"validation.policy.admission.k8s.io/validation_failure": "[{\"message\": \"Invalid value\", {\"policy\": \"policy.example.com\", {\"binding\": \"policybinding.example.com\", {\"expressionIndex\": \"1\", {\"validationActions\": [\"Audit\"]}]"`
+	//
+	// Clients should expect to handle additional values by ignoring
+	// any values not recognized.
+	//
+	// "Deny" and "Warn" may not be used together since this combination
+	// needlessly duplicates the validation failure both in the
+	// API response body and the HTTP warning headers.
+	//
+	// Required.
 	ValidationActions []admissionregistrationv1beta1.ValidationAction `json:"validationActions,omitempty"`
 }

--- a/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicyspec.go
+++ b/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicyspec.go
@@ -24,14 +24,66 @@ import (

 // ValidatingAdmissionPolicySpecApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicySpec type for use
 // with apply.
+//
+// ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.
 type ValidatingAdmissionPolicySpecApplyConfiguration struct {
-	ParamKind        *ParamKindApplyConfiguration                    `json:"paramKind,omitempty"`
-	MatchConstraints *MatchResourcesApplyConfiguration               `json:"matchConstraints,omitempty"`
-	Validations      []ValidationApplyConfiguration                  `json:"validations,omitempty"`
-	FailurePolicy    *admissionregistrationv1beta1.FailurePolicyType `json:"failurePolicy,omitempty"`
-	AuditAnnotations []AuditAnnotationApplyConfiguration             `json:"auditAnnotations,omitempty"`
-	MatchConditions  []MatchConditionApplyConfiguration              `json:"matchConditions,omitempty"`
-	Variables        []VariableApplyConfiguration                    `json:"variables,omitempty"`
+	// ParamKind specifies the kind of resources used to parameterize this policy.
+	// If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
+	// If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
+	// If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.
+	ParamKind *ParamKindApplyConfiguration `json:"paramKind,omitempty"`
+	// MatchConstraints specifies what resources this policy is designed to validate.
+	// The AdmissionPolicy cares about a request if it matches _all_ Constraints.
+	// However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
+	// ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding.
+	// Required.
+	MatchConstraints *MatchResourcesApplyConfiguration `json:"matchConstraints,omitempty"`
+	// Validations contain CEL expressions which is used to apply the validation.
+	// Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is
+	// required.
+	Validations []ValidationApplyConfiguration `json:"validations,omitempty"`
+	// failurePolicy defines how to handle failures for the admission policy. Failures can
+	// occur from CEL expression parse errors, type check errors, runtime errors and invalid
+	// or mis-configured policy definitions or bindings.
+	//
+	// A policy is invalid if spec.paramKind refers to a non-existent Kind.
+	// A binding is invalid if spec.paramRef.name refers to a non-existent resource.
+	//
+	// failurePolicy does not define how validations that evaluate to false are handled.
+	//
+	// When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions
+	// define how failures are enforced.
+	//
+	// Allowed values are Ignore or Fail. Defaults to Fail.
+	FailurePolicy *admissionregistrationv1beta1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// auditAnnotations contains CEL expressions which are used to produce audit
+	// annotations for the audit event of the API request.
+	// validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is
+	// required.
+	AuditAnnotations []AuditAnnotationApplyConfiguration `json:"auditAnnotations,omitempty"`
+	// MatchConditions is a list of conditions that must be met for a request to be validated.
+	// Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// If a parameter object is provided, it can be accessed via the `params` handle in the same
+	// manner as validation expressions.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the policy is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
+	// Variables contain definitions of variables that can be used in composition of other expressions.
+	// Each variable is defined as a named CEL expression.
+	// The variables defined here will be available under `variables` in other expressions of the policy
+	// except MatchConditions because MatchConditions are evaluated before the rest of the policy.
+	//
+	// The expression of a variable can refer to other variables defined earlier in the list but not those after.
+	// Thus, Variables must be sorted by the order of first appearance and acyclic.
+	Variables []VariableApplyConfiguration `json:"variables,omitempty"`
 }

 // ValidatingAdmissionPolicySpecApplyConfiguration constructs a declarative configuration of the ValidatingAdmissionPolicySpec type for use with
--- a/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicystatus.go
+++ b/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicystatus.go
@@ -24,10 +24,16 @@ import (

 // ValidatingAdmissionPolicyStatusApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyStatus type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyStatus represents the status of an admission validation policy.
 type ValidatingAdmissionPolicyStatusApplyConfiguration struct {
-	ObservedGeneration *int64                           `json:"observedGeneration,omitempty"`
-	TypeChecking       *TypeCheckingApplyConfiguration  `json:"typeChecking,omitempty"`
-	Conditions         []v1.ConditionApplyConfiguration `json:"conditions,omitempty"`
+	// The generation observed by the controller.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// The results of type checking for each expression.
+	// Presence of this field indicates the completion of the type checking.
+	TypeChecking *TypeCheckingApplyConfiguration `json:"typeChecking,omitempty"`
+	// The conditions represent the latest available observations of a policy's current state.
+	Conditions []v1.ConditionApplyConfiguration `json:"conditions,omitempty"`
 }

 // ValidatingAdmissionPolicyStatusApplyConfiguration constructs a declarative configuration of the ValidatingAdmissionPolicyStatus type for use with
--- a/applyconfigurations/admissionregistration/v1beta1/validatingwebhook.go
+++ b/applyconfigurations/admissionregistration/v1beta1/validatingwebhook.go
@@ -26,18 +26,133 @@ import (

 // ValidatingWebhookApplyConfiguration represents a declarative configuration of the ValidatingWebhook type for use
 // with apply.
+//
+// ValidatingWebhook describes an admission webhook and the resources and operations it applies to.
 type ValidatingWebhookApplyConfiguration struct {
-	Name                    *string                                         `json:"name,omitempty"`
-	ClientConfig            *WebhookClientConfigApplyConfiguration          `json:"clientConfig,omitempty"`
-	Rules                   []v1.RuleWithOperationsApplyConfiguration       `json:"rules,omitempty"`
-	FailurePolicy           *admissionregistrationv1beta1.FailurePolicyType `json:"failurePolicy,omitempty"`
-	MatchPolicy             *admissionregistrationv1beta1.MatchPolicyType   `json:"matchPolicy,omitempty"`
-	NamespaceSelector       *metav1.LabelSelectorApplyConfiguration         `json:"namespaceSelector,omitempty"`
-	ObjectSelector          *metav1.LabelSelectorApplyConfiguration         `json:"objectSelector,omitempty"`
-	SideEffects             *admissionregistrationv1beta1.SideEffectClass   `json:"sideEffects,omitempty"`
-	TimeoutSeconds          *int32                                          `json:"timeoutSeconds,omitempty"`
-	AdmissionReviewVersions []string                                        `json:"admissionReviewVersions,omitempty"`
-	MatchConditions         []MatchConditionApplyConfiguration              `json:"matchConditions,omitempty"`
+	// The name of the admission webhook.
+	// Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
+	// "imagepolicy" is the name of the webhook, and kubernetes.io is the name
+	// of the organization.
+	// Required.
+	Name *string `json:"name,omitempty"`
+	// ClientConfig defines how to communicate with the hook.
+	// Required
+	ClientConfig *WebhookClientConfigApplyConfiguration `json:"clientConfig,omitempty"`
+	// Rules describes what operations on what resources/subresources the webhook cares about.
+	// The webhook cares about an operation if it matches _any_ Rule.
+	// However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
+	// from putting the cluster in a state which cannot be recovered from without completely
+	// disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
+	// on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
+	Rules []v1.RuleWithOperationsApplyConfiguration `json:"rules,omitempty"`
+	// FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
+	// allowed values are Ignore or Fail. Defaults to Ignore.
+	FailurePolicy *admissionregistrationv1beta1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// matchPolicy defines how the "rules" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
+	//
+	// Defaults to "Exact"
+	MatchPolicy *admissionregistrationv1beta1.MatchPolicyType `json:"matchPolicy,omitempty"`
+	// NamespaceSelector decides whether to run the webhook on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the webhook.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "runlevel",
+	// "operator": "NotIn",
+	// "values": [
+	// "0",
+	// "1"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// If instead you want to only run the webhook on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "environment",
+	// "operator": "In",
+	// "values": [
+	// "prod",
+	// "staging"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	NamespaceSelector *metav1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
+	// ObjectSelector decides whether to run the webhook based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the webhook, and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	ObjectSelector *metav1.LabelSelectorApplyConfiguration `json:"objectSelector,omitempty"`
+	// SideEffects states whether this webhook has side effects.
+	// Acceptable values are: Unknown, None, Some, NoneOnDryRun
+	// Webhooks with side effects MUST implement a reconciliation system, since a request may be
+	// rejected by a future step in the admission chain and the side effects therefore need to be undone.
+	// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
+	// sideEffects == Unknown or Some. Defaults to Unknown.
+	SideEffects *admissionregistrationv1beta1.SideEffectClass `json:"sideEffects,omitempty"`
+	// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
+	// the webhook call will be ignored or the API call will fail based on the
+	// failure policy.
+	// The timeout value must be between 1 and 30 seconds.
+	// Default to 30 seconds.
+	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
+	// AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
+	// versions the Webhook expects. API server will try to use first version in
+	// the list which it supports. If none of the versions specified in this list
+	// supported by API server, validation will fail for this object.
+	// If a persisted webhook configuration specifies allowed versions and does not
+	// include any versions known to the API Server, calls to the webhook will fail
+	// and be subject to the failure policy.
+	// Default to `['v1beta1']`.
+	AdmissionReviewVersions []string `json:"admissionReviewVersions,omitempty"`
+	// MatchConditions is a list of conditions that must be met for a request to be sent to this
+	// webhook. Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the webhook is called.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
 }

 // ValidatingWebhookApplyConfiguration constructs a declarative configuration of the ValidatingWebhook type for use with
--- a/applyconfigurations/admissionregistration/v1beta1/validatingwebhookconfiguration.go
+++ b/applyconfigurations/admissionregistration/v1beta1/validatingwebhookconfiguration.go
@@ -29,10 +29,15 @@ import (

 // ValidatingWebhookConfigurationApplyConfiguration represents a declarative configuration of the ValidatingWebhookConfiguration type for use
 // with apply.
+//
+// ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it.
+// Deprecated in v1.16, planned for removal in v1.19. Use admissionregistration.k8s.io/v1 ValidatingWebhookConfiguration instead.
 type ValidatingWebhookConfigurationApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Webhooks                         []ValidatingWebhookApplyConfiguration `json:"webhooks,omitempty"`
+	// Webhooks is a list of webhooks and the affected resources and operations.
+	Webhooks []ValidatingWebhookApplyConfiguration `json:"webhooks,omitempty"`
 }

 // ValidatingWebhookConfiguration constructs a declarative configuration of the ValidatingWebhookConfiguration type for use with
@@ -45,29 +50,14 @@ func ValidatingWebhookConfiguration(name string) *ValidatingWebhookConfiguration
 	return b
 }

-// ExtractValidatingWebhookConfiguration extracts the applied configuration owned by fieldManager from
-// validatingWebhookConfiguration. If no managedFields are found in validatingWebhookConfiguration for fieldManager, a
-// ValidatingWebhookConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractValidatingWebhookConfigurationFrom extracts the applied configuration owned by fieldManager from
+// validatingWebhookConfiguration for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // validatingWebhookConfiguration must be a unmodified ValidatingWebhookConfiguration API object that was retrieved from the Kubernetes API.
-// ExtractValidatingWebhookConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractValidatingWebhookConfigurationFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractValidatingWebhookConfiguration(validatingWebhookConfiguration *admissionregistrationv1beta1.ValidatingWebhookConfiguration, fieldManager string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
-	return extractValidatingWebhookConfiguration(validatingWebhookConfiguration, fieldManager, "")
-}
-
-// ExtractValidatingWebhookConfigurationStatus is the same as ExtractValidatingWebhookConfiguration except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractValidatingWebhookConfigurationStatus(validatingWebhookConfiguration *admissionregistrationv1beta1.ValidatingWebhookConfiguration, fieldManager string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
-	return extractValidatingWebhookConfiguration(validatingWebhookConfiguration, fieldManager, "status")
-}
-
-func extractValidatingWebhookConfiguration(validatingWebhookConfiguration *admissionregistrationv1beta1.ValidatingWebhookConfiguration, fieldManager string, subresource string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
+func ExtractValidatingWebhookConfigurationFrom(validatingWebhookConfiguration *admissionregistrationv1beta1.ValidatingWebhookConfiguration, fieldManager string, subresource string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
 	b := &ValidatingWebhookConfigurationApplyConfiguration{}
 	err := managedfields.ExtractInto(validatingWebhookConfiguration, internal.Parser().Type("io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfiguration"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +69,21 @@ func extractValidatingWebhookConfiguration(validatingWebhookConfiguration *admis
 	b.WithAPIVersion("admissionregistration.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractValidatingWebhookConfiguration extracts the applied configuration owned by fieldManager from
+// validatingWebhookConfiguration. If no managedFields are found in validatingWebhookConfiguration for fieldManager, a
+// ValidatingWebhookConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// validatingWebhookConfiguration must be a unmodified ValidatingWebhookConfiguration API object that was retrieved from the Kubernetes API.
+// ExtractValidatingWebhookConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractValidatingWebhookConfiguration(validatingWebhookConfiguration *admissionregistrationv1beta1.ValidatingWebhookConfiguration, fieldManager string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
+	return ExtractValidatingWebhookConfigurationFrom(validatingWebhookConfiguration, fieldManager, "")
+}
+
 func (b ValidatingWebhookConfigurationApplyConfiguration) IsApplyConfiguration() {}

 // WithKind sets the Kind field in the declarative configuration to the given value
--- a/applyconfigurations/admissionregistration/v1beta1/validation.go
+++ b/applyconfigurations/admissionregistration/v1beta1/validation.go
@@ -24,11 +24,77 @@ import (

 // ValidationApplyConfiguration represents a declarative configuration of the Validation type for use
 // with apply.
+//
+// Validation specifies the CEL expression which is used to apply the validation.
 type ValidationApplyConfiguration struct {
-	Expression        *string          `json:"expression,omitempty"`
-	Message           *string          `json:"message,omitempty"`
-	Reason            *v1.StatusReason `json:"reason,omitempty"`
-	MessageExpression *string          `json:"messageExpression,omitempty"`
+	// Expression represents the expression which will be evaluated by CEL.
+	// ref: https://github.com/google/cel-spec
+	// CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:
+	//
+	// - 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// - 'oldObject' - The existing object. The value is null for CREATE requests.
+	// - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
+	// - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
+	// - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
+	// - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
+	// For example, a variable named 'foo' can be accessed as 'variables.foo'.
+	// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	//
+	// The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
+	// object. No other metadata properties are accessible.
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Accessible property names are escaped according to the following rules when accessed in the expression:
+	// - '__' escapes to '__underscores__'
+	// - '.' escapes to '__dot__'
+	// - '-' escapes to '__dash__'
+	// - '/' escapes to '__slash__'
+	// - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:
+	// "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if",
+	// "import", "let", "loop", "package", "namespace", "return".
+	// Examples:
+	// - Expression accessing a property named "namespace": {"Expression": "object.__namespace__ > 0"}
+	// - Expression accessing a property named "x-prop": {"Expression": "object.x__dash__prop > 0"}
+	// - Expression accessing a property named "redact__d": {"Expression": "object.redact__underscores__d > 0"}
+	//
+	// Equality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].
+	// Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
+	// - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and
+	// non-intersecting elements in `Y` are appended, retaining their partial order.
+	// - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values
+	// are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with
+	// non-intersecting keys are appended, retaining their partial order.
+	// Required.
+	Expression *string `json:"expression,omitempty"`
+	// Message represents the message displayed when validation fails. The message is required if the Expression contains
+	// line breaks. The message must not contain line breaks.
+	// If unset, the message is "failed rule: {Rule}".
+	// e.g. "must be a URL with the host matching spec.host"
+	// If the Expression contains line breaks. Message is required.
+	// The message must not contain line breaks.
+	// If unset, the message is "failed Expression: {Expression}".
+	Message *string `json:"message,omitempty"`
+	// Reason represents a machine-readable description of why this validation failed.
+	// If this is the first validation in the list to fail, this reason, as well as the
+	// corresponding HTTP response code, are used in the
+	// HTTP response to the client.
+	// The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+	// If not set, StatusReasonInvalid is used in the response to the client.
+	Reason *v1.StatusReason `json:"reason,omitempty"`
+	// messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+	// Since messageExpression is used as a failure message, it must evaluate to a string.
+	// If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+	// If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+	// as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+	// that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+	// the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+	// messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+	// Example:
+	// "object.x must be less than max ("+string(params.max)+")"
+	MessageExpression *string `json:"messageExpression,omitempty"`
 }

 // ValidationApplyConfiguration constructs a declarative configuration of the Validation type for use with
--- a/applyconfigurations/admissionregistration/v1beta1/variable.go
+++ b/applyconfigurations/admissionregistration/v1beta1/variable.go
@@ -20,8 +20,15 @@ package v1beta1

 // VariableApplyConfiguration represents a declarative configuration of the Variable type for use
 // with apply.
+//
+// Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.
 type VariableApplyConfiguration struct {
-	Name       *string `json:"name,omitempty"`
+	// Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+	// The variable can be accessed in other expressions through `variables`
+	// For example, if name is "foo", the variable will be available as `variables.foo`
+	Name *string `json:"name,omitempty"`
+	// Expression is the expression that will be evaluated as the value of the variable.
+	// The CEL expression has access to the same identifiers as the CEL expressions in Validation.
 	Expression *string `json:"expression,omitempty"`
 }

--- a/applyconfigurations/admissionregistration/v1beta1/webhookclientconfig.go
+++ b/applyconfigurations/admissionregistration/v1beta1/webhookclientconfig.go
@@ -20,10 +20,44 @@ package v1beta1

 // WebhookClientConfigApplyConfiguration represents a declarative configuration of the WebhookClientConfig type for use
 // with apply.
+//
+// WebhookClientConfig contains the information to make a TLS
+// connection with the webhook
 type WebhookClientConfigApplyConfiguration struct {
-	URL      *string                             `json:"url,omitempty"`
-	Service  *ServiceReferenceApplyConfiguration `json:"service,omitempty"`
-	CABundle []byte                              `json:"caBundle,omitempty"`
+	// `url` gives the location of the webhook, in standard URL form
+	// (`scheme://host:port/path`). Exactly one of `url` or `service`
+	// must be specified.
+	//
+	// The `host` should not refer to a service running in the cluster; use
+	// the `service` field instead. The host might be resolved via external
+	// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
+	// in-cluster DNS as that would be a layering violation). `host` may
+	// also be an IP address.
+	//
+	// Please note that using `localhost` or `127.0.0.1` as a `host` is
+	// risky unless you take great care to run this webhook on all hosts
+	// which run an apiserver which might need to make calls to this
+	// webhook. Such installs are likely to be non-portable, i.e., not easy
+	// to turn up in a new cluster.
+	//
+	// The scheme must be "https"; the URL must begin with "https://".
+	//
+	// A path is optional, and if present may be any string permissible in
+	// a URL. You may use the path to pass an arbitrary string to the
+	// webhook, for example, a cluster identifier.
+	//
+	// Attempting to use a user or basic auth e.g. "user:password@" is not
+	// allowed. Fragments ("#...") and query parameters ("?...") are not
+	// allowed, either.
+	URL *string `json:"url,omitempty"`
+	// `service` is a reference to the service for this webhook. Either
+	// `service` or `url` must be specified.
+	//
+	// If the webhook is running within the cluster, then you should use `service`.
+	Service *ServiceReferenceApplyConfiguration `json:"service,omitempty"`
+	// `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
+	// If unspecified, system trust roots on the apiserver are used.
+	CABundle []byte `json:"caBundle,omitempty"`
 }

 // WebhookClientConfigApplyConfiguration constructs a declarative configuration of the WebhookClientConfig type for use with
--- a/applyconfigurations/apiserverinternal/v1alpha1/serverstorageversion.go
+++ b/applyconfigurations/apiserverinternal/v1alpha1/serverstorageversion.go
@@ -20,11 +20,21 @@ package v1alpha1

 // ServerStorageVersionApplyConfiguration represents a declarative configuration of the ServerStorageVersion type for use
 // with apply.
+//
+// An API server instance reports the version it can decode and the version it
+// encodes objects to when persisting objects in the backend.
 type ServerStorageVersionApplyConfiguration struct {
-	APIServerID       *string  `json:"apiServerID,omitempty"`
-	EncodingVersion   *string  `json:"encodingVersion,omitempty"`
+	// The ID of the reporting API server.
+	APIServerID *string `json:"apiServerID,omitempty"`
+	// The API server encodes the object to this version when persisting it in
+	// the backend (e.g., etcd).
+	EncodingVersion *string `json:"encodingVersion,omitempty"`
+	// The API server can decode objects encoded in these versions.
+	// The encodingVersion must be included in the decodableVersions.
 	DecodableVersions []string `json:"decodableVersions,omitempty"`
-	ServedVersions    []string `json:"servedVersions,omitempty"`
+	// The API server can serve these versions.
+	// DecodableVersions must include all ServedVersions.
+	ServedVersions []string `json:"servedVersions,omitempty"`
 }

 // ServerStorageVersionApplyConfiguration constructs a declarative configuration of the ServerStorageVersion type for use with
--- a/applyconfigurations/apiserverinternal/v1alpha1/storageversion.go
+++ b/applyconfigurations/apiserverinternal/v1alpha1/storageversion.go
@@ -29,11 +29,17 @@ import (

 // StorageVersionApplyConfiguration represents a declarative configuration of the StorageVersion type for use
 // with apply.
+//
+// Storage version of a specific resource.
 type StorageVersionApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// The name is <group>.<resource>.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *apiserverinternalv1alpha1.StorageVersionSpec `json:"spec,omitempty"`
-	Status                           *StorageVersionStatusApplyConfiguration       `json:"status,omitempty"`
+	// Spec is an empty spec. It is here to comply with Kubernetes API style.
+	Spec *apiserverinternalv1alpha1.StorageVersionSpec `json:"spec,omitempty"`
+	// API server instances report the version they can decode and the version they
+	// encode objects to when persisting objects in the backend.
+	Status *StorageVersionStatusApplyConfiguration `json:"status,omitempty"`
 }

 // StorageVersion constructs a declarative configuration of the StorageVersion type for use with
@@ -46,29 +52,14 @@ func StorageVersion(name string) *StorageVersionApplyConfiguration {
 	return b
 }

-// ExtractStorageVersion extracts the applied configuration owned by fieldManager from
-// storageVersion. If no managedFields are found in storageVersion for fieldManager, a
-// StorageVersionApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractStorageVersionFrom extracts the applied configuration owned by fieldManager from
+// storageVersion for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // storageVersion must be a unmodified StorageVersion API object that was retrieved from the Kubernetes API.
-// ExtractStorageVersion provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractStorageVersionFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractStorageVersion(storageVersion *apiserverinternalv1alpha1.StorageVersion, fieldManager string) (*StorageVersionApplyConfiguration, error) {
-	return extractStorageVersion(storageVersion, fieldManager, "")
-}
-
-// ExtractStorageVersionStatus is the same as ExtractStorageVersion except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractStorageVersionStatus(storageVersion *apiserverinternalv1alpha1.StorageVersion, fieldManager string) (*StorageVersionApplyConfiguration, error) {
-	return extractStorageVersion(storageVersion, fieldManager, "status")
-}
-
-func extractStorageVersion(storageVersion *apiserverinternalv1alpha1.StorageVersion, fieldManager string, subresource string) (*StorageVersionApplyConfiguration, error) {
+func ExtractStorageVersionFrom(storageVersion *apiserverinternalv1alpha1.StorageVersion, fieldManager string, subresource string) (*StorageVersionApplyConfiguration, error) {
 	b := &StorageVersionApplyConfiguration{}
 	err := managedfields.ExtractInto(storageVersion, internal.Parser().Type("io.k8s.api.apiserverinternal.v1alpha1.StorageVersion"), fieldManager, b, subresource)
 	if err != nil {
@@ -80,6 +71,27 @@ func extractStorageVersion(storageVersion *apiserverinternalv1alpha1.StorageVers
 	b.WithAPIVersion("internal.apiserver.k8s.io/v1alpha1")
 	return b, nil
 }
+
+// ExtractStorageVersion extracts the applied configuration owned by fieldManager from
+// storageVersion. If no managedFields are found in storageVersion for fieldManager, a
+// StorageVersionApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// storageVersion must be a unmodified StorageVersion API object that was retrieved from the Kubernetes API.
+// ExtractStorageVersion provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractStorageVersion(storageVersion *apiserverinternalv1alpha1.StorageVersion, fieldManager string) (*StorageVersionApplyConfiguration, error) {
+	return ExtractStorageVersionFrom(storageVersion, fieldManager, "")
+}
+
+// ExtractStorageVersionStatus extracts the applied configuration owned by fieldManager from
+// storageVersion for the status subresource.
+func ExtractStorageVersionStatus(storageVersion *apiserverinternalv1alpha1.StorageVersion, fieldManager string) (*StorageVersionApplyConfiguration, error) {
+	return ExtractStorageVersionFrom(storageVersion, fieldManager, "status")
+}
+
 func (b StorageVersionApplyConfiguration) IsApplyConfiguration() {}

 // WithKind sets the Kind field in the declarative configuration to the given value
--- a/applyconfigurations/apiserverinternal/v1alpha1/storageversioncondition.go
+++ b/applyconfigurations/apiserverinternal/v1alpha1/storageversioncondition.go
@@ -25,13 +25,21 @@ import (

 // StorageVersionConditionApplyConfiguration represents a declarative configuration of the StorageVersionCondition type for use
 // with apply.
+//
+// Describes the state of the storageVersion at a certain point.
 type StorageVersionConditionApplyConfiguration struct {
-	Type               *apiserverinternalv1alpha1.StorageVersionConditionType `json:"type,omitempty"`
-	Status             *apiserverinternalv1alpha1.ConditionStatus             `json:"status,omitempty"`
-	ObservedGeneration *int64                                                 `json:"observedGeneration,omitempty"`
-	LastTransitionTime *v1.Time                                               `json:"lastTransitionTime,omitempty"`
-	Reason             *string                                                `json:"reason,omitempty"`
-	Message            *string                                                `json:"message,omitempty"`
+	// Type of the condition.
+	Type *apiserverinternalv1alpha1.StorageVersionConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	Status *apiserverinternalv1alpha1.ConditionStatus `json:"status,omitempty"`
+	// If set, this represents the .metadata.generation that the condition was set based upon.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// Last time the condition transitioned from one status to another.
+	LastTransitionTime *v1.Time `json:"lastTransitionTime,omitempty"`
+	// The reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// A human readable message indicating details about the transition.
+	Message *string `json:"message,omitempty"`
 }

 // StorageVersionConditionApplyConfiguration constructs a declarative configuration of the StorageVersionCondition type for use with
--- a/applyconfigurations/apiserverinternal/v1alpha1/storageversionstatus.go
+++ b/applyconfigurations/apiserverinternal/v1alpha1/storageversionstatus.go
@@ -20,10 +20,19 @@ package v1alpha1

 // StorageVersionStatusApplyConfiguration represents a declarative configuration of the StorageVersionStatus type for use
 // with apply.
+//
+// API server instances report the versions they can decode and the version they
+// encode objects to when persisting objects in the backend.
 type StorageVersionStatusApplyConfiguration struct {
-	StorageVersions       []ServerStorageVersionApplyConfiguration    `json:"storageVersions,omitempty"`
-	CommonEncodingVersion *string                                     `json:"commonEncodingVersion,omitempty"`
-	Conditions            []StorageVersionConditionApplyConfiguration `json:"conditions,omitempty"`
+	// The reported versions per API server instance.
+	StorageVersions []ServerStorageVersionApplyConfiguration `json:"storageVersions,omitempty"`
+	// If all API server instances agree on the same encoding storage version,
+	// then this field is set to that version. Otherwise this field is left empty.
+	// API servers should finish updating its storageVersionStatus entry before
+	// serving write operations, so that this field will be in sync with the reality.
+	CommonEncodingVersion *string `json:"commonEncodingVersion,omitempty"`
+	// The latest available observations of the storageVersion's state.
+	Conditions []StorageVersionConditionApplyConfiguration `json:"conditions,omitempty"`
 }

 // StorageVersionStatusApplyConfiguration constructs a declarative configuration of the StorageVersionStatus type for use with
--- a/applyconfigurations/apps/v1/controllerrevision.go
+++ b/applyconfigurations/apps/v1/controllerrevision.go
@@ -30,11 +30,25 @@ import (

 // ControllerRevisionApplyConfiguration represents a declarative configuration of the ControllerRevision type for use
 // with apply.
+//
+// ControllerRevision implements an immutable snapshot of state data. Clients
+// are responsible for serializing and deserializing the objects that contain
+// their internal state.
+// Once a ControllerRevision has been successfully created, it can not be updated.
+// The API Server will fail validation of all requests that attempt to mutate
+// the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both
+// the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However,
+// it may be subject to name and representation changes in future releases, and clients should not
+// depend on its stability. It is primarily for internal use by controllers.
 type ControllerRevisionApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Data                                 *runtime.RawExtension `json:"data,omitempty"`
-	Revision                             *int64                `json:"revision,omitempty"`
+	// Data is the serialized representation of the state.
+	Data *runtime.RawExtension `json:"data,omitempty"`
+	// Revision indicates the revision of the state represented by Data.
+	Revision *int64 `json:"revision,omitempty"`
 }

 // ControllerRevision constructs a declarative configuration of the ControllerRevision type for use with
@@ -48,29 +62,14 @@ func ControllerRevision(name, namespace string) *ControllerRevisionApplyConfigur
 	return b
 }

-// ExtractControllerRevision extracts the applied configuration owned by fieldManager from
-// controllerRevision. If no managedFields are found in controllerRevision for fieldManager, a
-// ControllerRevisionApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractControllerRevisionFrom extracts the applied configuration owned by fieldManager from
+// controllerRevision for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // controllerRevision must be a unmodified ControllerRevision API object that was retrieved from the Kubernetes API.
-// ExtractControllerRevision provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractControllerRevisionFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractControllerRevision(controllerRevision *appsv1.ControllerRevision, fieldManager string) (*ControllerRevisionApplyConfiguration, error) {
-	return extractControllerRevision(controllerRevision, fieldManager, "")
-}
-
-// ExtractControllerRevisionStatus is the same as ExtractControllerRevision except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractControllerRevisionStatus(controllerRevision *appsv1.ControllerRevision, fieldManager string) (*ControllerRevisionApplyConfiguration, error) {
-	return extractControllerRevision(controllerRevision, fieldManager, "status")
-}
-
-func extractControllerRevision(controllerRevision *appsv1.ControllerRevision, fieldManager string, subresource string) (*ControllerRevisionApplyConfiguration, error) {
+func ExtractControllerRevisionFrom(controllerRevision *appsv1.ControllerRevision, fieldManager string, subresource string) (*ControllerRevisionApplyConfiguration, error) {
 	b := &ControllerRevisionApplyConfiguration{}
 	err := managedfields.ExtractInto(controllerRevision, internal.Parser().Type("io.k8s.api.apps.v1.ControllerRevision"), fieldManager, b, subresource)
 	if err != nil {
@@ -83,6 +82,21 @@ func extractControllerRevision(controllerRevision *appsv1.ControllerRevision, fi
 	b.WithAPIVersion("apps/v1")
 	return b, nil
 }
+
+// ExtractControllerRevision extracts the applied configuration owned by fieldManager from
+// controllerRevision. If no managedFields are found in controllerRevision for fieldManager, a
+// ControllerRevisionApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// controllerRevision must be a unmodified ControllerRevision API object that was retrieved from the Kubernetes API.
+// ExtractControllerRevision provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractControllerRevision(controllerRevision *appsv1.ControllerRevision, fieldManager string) (*ControllerRevisionApplyConfiguration, error) {
+	return ExtractControllerRevisionFrom(controllerRevision, fieldManager, "")
+}
+
 func (b ControllerRevisionApplyConfiguration) IsApplyConfiguration() {}

 // WithKind sets the Kind field in the declarative configuration to the given value
--- a/applyconfigurations/apps/v1/daemonset.go
+++ b/applyconfigurations/apps/v1/daemonset.go
@@ -29,11 +29,22 @@ import (

 // DaemonSetApplyConfiguration represents a declarative configuration of the DaemonSet type for use
 // with apply.
+//
+// DaemonSet represents the configuration of a daemon set.
 type DaemonSetApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *DaemonSetSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *DaemonSetStatusApplyConfiguration `json:"status,omitempty"`
+	// The desired behavior of this daemon set.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *DaemonSetSpecApplyConfiguration `json:"spec,omitempty"`
+	// The current status of this daemon set. This data may be
+	// out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *DaemonSetStatusApplyConfiguration `json:"status,omitempty"`
 }

 // DaemonSet constructs a declarative configuration of the DaemonSet type for use with
@@ -47,29 +58,14 @@ func DaemonSet(name, namespace string) *DaemonSetApplyConfiguration {
 	return b
 }

-// ExtractDaemonSet extracts the applied configuration owned by fieldManager from
-// daemonSet. If no managedFields are found in daemonSet for fieldManager, a
-// DaemonSetApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractDaemonSetFrom extracts the applied configuration owned by fieldManager from
+// daemonSet for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // daemonSet must be a unmodified DaemonSet API object that was retrieved from the Kubernetes API.
-// ExtractDaemonSet provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractDaemonSetFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractDaemonSet(daemonSet *appsv1.DaemonSet, fieldManager string) (*DaemonSetApplyConfiguration, error) {
-	return extractDaemonSet(daemonSet, fieldManager, "")
-}
-
-// ExtractDaemonSetStatus is the same as ExtractDaemonSet except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractDaemonSetStatus(daemonSet *appsv1.DaemonSet, fieldManager string) (*DaemonSetApplyConfiguration, error) {
-	return extractDaemonSet(daemonSet, fieldManager, "status")
-}
-
-func extractDaemonSet(daemonSet *appsv1.DaemonSet, fieldManager string, subresource string) (*DaemonSetApplyConfiguration, error) {
+func ExtractDaemonSetFrom(daemonSet *appsv1.DaemonSet, fieldManager string, subresource string) (*DaemonSetApplyConfiguration, error) {
 	b := &DaemonSetApplyConfiguration{}
 	err := managedfields.ExtractInto(daemonSet, internal.Parser().Type("io.k8s.api.apps.v1.DaemonSet"), fieldManager, b, subresource)
 	if err != nil {
@@ -82,6 +78,27 @@ func extractDaemonSet(daemonSet *appsv1.DaemonSet, fieldManager string, subresou
 	b.WithAPIVersion("apps/v1")
 	return b, nil
 }
+
+// ExtractDaemonSet extracts the applied configuration owned by fieldManager from
+// daemonSet. If no managedFields are found in daemonSet for fieldManager, a
+// DaemonSetApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// daemonSet must be a unmodified DaemonSet API object that was retrieved from the Kubernetes API.
+// ExtractDaemonSet provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractDaemonSet(daemonSet *appsv1.DaemonSet, fieldManager string) (*DaemonSetApplyConfiguration, error) {
+	return ExtractDaemonSetFrom(daemonSet, fieldManager, "")
+}
+
+// ExtractDaemonSetStatus extracts the applied configuration owned by fieldManager from
+// daemonSet for the status subresource.
+func ExtractDaemonSetStatus(daemonSet *appsv1.DaemonSet, fieldManager string) (*DaemonSetApplyConfiguration, error) {
+	return ExtractDaemonSetFrom(daemonSet, fieldManager, "status")
+}
+
 func (b DaemonSetApplyConfiguration) IsApplyConfiguration() {}

 // WithKind sets the Kind field in the declarative configuration to the given value
--- a/applyconfigurations/apps/v1/daemonsetcondition.go
+++ b/applyconfigurations/apps/v1/daemonsetcondition.go
@@ -26,12 +26,20 @@ import (

 // DaemonSetConditionApplyConfiguration represents a declarative configuration of the DaemonSetCondition type for use
 // with apply.
+//
+// TODO: Add valid condition types of a DaemonSet.
+// DaemonSetCondition describes the state of a DaemonSet at a certain point.
 type DaemonSetConditionApplyConfiguration struct {
-	Type               *appsv1.DaemonSetConditionType `json:"type,omitempty"`
-	Status             *corev1.ConditionStatus        `json:"status,omitempty"`
-	LastTransitionTime *metav1.Time                   `json:"lastTransitionTime,omitempty"`
-	Reason             *string                        `json:"reason,omitempty"`
-	Message            *string                        `json:"message,omitempty"`
+	// Type of DaemonSet condition.
+	Type *appsv1.DaemonSetConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	Status *corev1.ConditionStatus `json:"status,omitempty"`
+	// Last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// The reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// A human readable message indicating details about the transition.
+	Message *string `json:"message,omitempty"`
 }

 // DaemonSetConditionApplyConfiguration constructs a declarative configuration of the DaemonSetCondition type for use with
--- a/applyconfigurations/apps/v1/daemonsetspec.go
+++ b/applyconfigurations/apps/v1/daemonsetspec.go
@@ -25,12 +25,32 @@ import (

 // DaemonSetSpecApplyConfiguration represents a declarative configuration of the DaemonSetSpec type for use
 // with apply.
+//
+// DaemonSetSpec is the specification of a daemon set.
 type DaemonSetSpecApplyConfiguration struct {
-	Selector             *metav1.LabelSelectorApplyConfiguration    `json:"selector,omitempty"`
-	Template             *corev1.PodTemplateSpecApplyConfiguration  `json:"template,omitempty"`
-	UpdateStrategy       *DaemonSetUpdateStrategyApplyConfiguration `json:"updateStrategy,omitempty"`
-	MinReadySeconds      *int32                                     `json:"minReadySeconds,omitempty"`
-	RevisionHistoryLimit *int32                                     `json:"revisionHistoryLimit,omitempty"`
+	// A label query over pods that are managed by the daemon set.
+	// Must match in order to be controlled.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	Selector *metav1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// An object that describes the pod that will be created.
+	// The DaemonSet will create exactly one copy of this pod on every node
+	// that matches the template's node selector (or on every node if no node
+	// selector is specified).
+	// The only allowed template.spec.restartPolicy value is "Always".
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+	Template *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
+	// An update strategy to replace existing DaemonSet pods with new pods.
+	UpdateStrategy *DaemonSetUpdateStrategyApplyConfiguration `json:"updateStrategy,omitempty"`
+	// The minimum number of seconds for which a newly created DaemonSet pod should
+	// be ready without any of its container crashing, for it to be considered
+	// available. Defaults to 0 (pod will be considered available as soon as it
+	// is ready).
+	MinReadySeconds *int32 `json:"minReadySeconds,omitempty"`
+	// The number of old history to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 10.
+	RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty"`
 }

 // DaemonSetSpecApplyConfiguration constructs a declarative configuration of the DaemonSetSpec type for use with
--- a/applyconfigurations/apps/v1/daemonsetstatus.go
+++ b/applyconfigurations/apps/v1/daemonsetstatus.go
@@ -20,17 +20,42 @@ package v1

 // DaemonSetStatusApplyConfiguration represents a declarative configuration of the DaemonSetStatus type for use
 // with apply.
+//
+// DaemonSetStatus represents the current status of a daemon set.
 type DaemonSetStatusApplyConfiguration struct {
-	CurrentNumberScheduled *int32                                 `json:"currentNumberScheduled,omitempty"`
-	NumberMisscheduled     *int32                                 `json:"numberMisscheduled,omitempty"`
-	DesiredNumberScheduled *int32                                 `json:"desiredNumberScheduled,omitempty"`
-	NumberReady            *int32                                 `json:"numberReady,omitempty"`
-	ObservedGeneration     *int64                                 `json:"observedGeneration,omitempty"`
-	UpdatedNumberScheduled *int32                                 `json:"updatedNumberScheduled,omitempty"`
-	NumberAvailable        *int32                                 `json:"numberAvailable,omitempty"`
-	NumberUnavailable      *int32                                 `json:"numberUnavailable,omitempty"`
-	CollisionCount         *int32                                 `json:"collisionCount,omitempty"`
-	Conditions             []DaemonSetConditionApplyConfiguration `json:"conditions,omitempty"`
+	// The number of nodes that are running at least 1
+	// daemon pod and are supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	CurrentNumberScheduled *int32 `json:"currentNumberScheduled,omitempty"`
+	// The number of nodes that are running the daemon pod, but are
+	// not supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	NumberMisscheduled *int32 `json:"numberMisscheduled,omitempty"`
+	// The total number of nodes that should be running the daemon
+	// pod (including nodes correctly running the daemon pod).
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	DesiredNumberScheduled *int32 `json:"desiredNumberScheduled,omitempty"`
+	// numberReady is the number of nodes that should be running the daemon pod and have one
+	// or more of the daemon pod running with a Ready Condition.
+	NumberReady *int32 `json:"numberReady,omitempty"`
+	// The most recent generation observed by the daemon set controller.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// The total number of nodes that are running updated daemon pod
+	UpdatedNumberScheduled *int32 `json:"updatedNumberScheduled,omitempty"`
+	// The number of nodes that should be running the
+	// daemon pod and have one or more of the daemon pod running and
+	// available (ready for at least spec.minReadySeconds)
+	NumberAvailable *int32 `json:"numberAvailable,omitempty"`
+	// The number of nodes that should be running the
+	// daemon pod and have none of the daemon pod running and available
+	// (ready for at least spec.minReadySeconds)
+	NumberUnavailable *int32 `json:"numberUnavailable,omitempty"`
+	// Count of hash collisions for the DaemonSet. The DaemonSet controller
+	// uses this field as a collision avoidance mechanism when it needs to
+	// create the name for the newest ControllerRevision.
+	CollisionCount *int32 `json:"collisionCount,omitempty"`
+	// Represents the latest available observations of a DaemonSet's current state.
+	Conditions []DaemonSetConditionApplyConfiguration `json:"conditions,omitempty"`
 }

 // DaemonSetStatusApplyConfiguration constructs a declarative configuration of the DaemonSetStatus type for use with
--- a/applyconfigurations/apps/v1/daemonsetupdatestrategy.go
+++ b/applyconfigurations/apps/v1/daemonsetupdatestrategy.go
@@ -24,8 +24,16 @@ import (

 // DaemonSetUpdateStrategyApplyConfiguration represents a declarative configuration of the DaemonSetUpdateStrategy type for use
 // with apply.
+//
+// DaemonSetUpdateStrategy is a struct used to control the update strategy for a DaemonSet.
 type DaemonSetUpdateStrategyApplyConfiguration struct {
-	Type          *appsv1.DaemonSetUpdateStrategyType       `json:"type,omitempty"`
+	// Type of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate.
+	Type *appsv1.DaemonSetUpdateStrategyType `json:"type,omitempty"`
+	// Rolling update config params. Present only if type = "RollingUpdate".
+	// ---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be. Same as Deployment `strategy.rollingUpdate`.
+	// See https://github.com/kubernetes/kubernetes/issues/35345
 	RollingUpdate *RollingUpdateDaemonSetApplyConfiguration `json:"rollingUpdate,omitempty"`
 }

--- a/applyconfigurations/apps/v1/deployment.go
+++ b/applyconfigurations/apps/v1/deployment.go
@@ -29,11 +29,17 @@ import (

 // DeploymentApplyConfiguration represents a declarative configuration of the Deployment type for use
 // with apply.
+//
+// Deployment enables declarative updates for Pods and ReplicaSets.
 type DeploymentApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *DeploymentSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *DeploymentStatusApplyConfiguration `json:"status,omitempty"`
+	// Specification of the desired behavior of the Deployment.
+	Spec *DeploymentSpecApplyConfiguration `json:"spec,omitempty"`
+	// Most recently observed status of the Deployment.
+	Status *DeploymentStatusApplyConfiguration `json:"status,omitempty"`
 }

 // Deployment constructs a declarative configuration of the Deployment type for use with
@@ -47,29 +53,14 @@ func Deployment(name, namespace string) *DeploymentApplyConfiguration {
 	return b
 }

-// ExtractDeployment extracts the applied configuration owned by fieldManager from
-// deployment. If no managedFields are found in deployment for fieldManager, a
-// DeploymentApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractDeploymentFrom extracts the applied configuration owned by fieldManager from
+// deployment for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // deployment must be a unmodified Deployment API object that was retrieved from the Kubernetes API.
-// ExtractDeployment provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractDeploymentFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractDeployment(deployment *appsv1.Deployment, fieldManager string) (*DeploymentApplyConfiguration, error) {
-	return extractDeployment(deployment, fieldManager, "")
-}
-
-// ExtractDeploymentStatus is the same as ExtractDeployment except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractDeploymentStatus(deployment *appsv1.Deployment, fieldManager string) (*DeploymentApplyConfiguration, error) {
-	return extractDeployment(deployment, fieldManager, "status")
-}
-
-func extractDeployment(deployment *appsv1.Deployment, fieldManager string, subresource string) (*DeploymentApplyConfiguration, error) {
+func ExtractDeploymentFrom(deployment *appsv1.Deployment, fieldManager string, subresource string) (*DeploymentApplyConfiguration, error) {
 	b := &DeploymentApplyConfiguration{}
 	err := managedfields.ExtractInto(deployment, internal.Parser().Type("io.k8s.api.apps.v1.Deployment"), fieldManager, b, subresource)
 	if err != nil {
@@ -82,6 +73,33 @@ func extractDeployment(deployment *appsv1.Deployment, fieldManager string, subre
 	b.WithAPIVersion("apps/v1")
 	return b, nil
 }
+
+// ExtractDeployment extracts the applied configuration owned by fieldManager from
+// deployment. If no managedFields are found in deployment for fieldManager, a
+// DeploymentApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// deployment must be a unmodified Deployment API object that was retrieved from the Kubernetes API.
+// ExtractDeployment provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractDeployment(deployment *appsv1.Deployment, fieldManager string) (*DeploymentApplyConfiguration, error) {
+	return ExtractDeploymentFrom(deployment, fieldManager, "")
+}
+
+// ExtractDeploymentScale extracts the applied configuration owned by fieldManager from
+// deployment for the scale subresource.
+func ExtractDeploymentScale(deployment *appsv1.Deployment, fieldManager string) (*DeploymentApplyConfiguration, error) {
+	return ExtractDeploymentFrom(deployment, fieldManager, "scale")
+}
+
+// ExtractDeploymentStatus extracts the applied configuration owned by fieldManager from
+// deployment for the status subresource.
+func ExtractDeploymentStatus(deployment *appsv1.Deployment, fieldManager string) (*DeploymentApplyConfiguration, error) {
+	return ExtractDeploymentFrom(deployment, fieldManager, "status")
+}
+
 func (b DeploymentApplyConfiguration) IsApplyConfiguration() {}

 // WithKind sets the Kind field in the declarative configuration to the given value
--- a/applyconfigurations/apps/v1/deploymentcondition.go
+++ b/applyconfigurations/apps/v1/deploymentcondition.go
@@ -26,13 +26,21 @@ import (

 // DeploymentConditionApplyConfiguration represents a declarative configuration of the DeploymentCondition type for use
 // with apply.
+//
+// DeploymentCondition describes the state of a deployment at a certain point.
 type DeploymentConditionApplyConfiguration struct {
-	Type               *appsv1.DeploymentConditionType `json:"type,omitempty"`
-	Status             *corev1.ConditionStatus         `json:"status,omitempty"`
-	LastUpdateTime     *metav1.Time                    `json:"lastUpdateTime,omitempty"`
-	LastTransitionTime *metav1.Time                    `json:"lastTransitionTime,omitempty"`
-	Reason             *string                         `json:"reason,omitempty"`
-	Message            *string                         `json:"message,omitempty"`
+	// Type of deployment condition.
+	Type *appsv1.DeploymentConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	Status *corev1.ConditionStatus `json:"status,omitempty"`
+	// The last time this condition was updated.
+	LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
+	// Last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// The reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// A human readable message indicating details about the transition.
+	Message *string `json:"message,omitempty"`
 }

 // DeploymentConditionApplyConfiguration constructs a declarative configuration of the DeploymentCondition type for use with
--- a/applyconfigurations/apps/v1/deploymentspec.go
+++ b/applyconfigurations/apps/v1/deploymentspec.go
@@ -25,15 +25,37 @@ import (

 // DeploymentSpecApplyConfiguration represents a declarative configuration of the DeploymentSpec type for use
 // with apply.
+//
+// DeploymentSpec is the specification of the desired behavior of the Deployment.
 type DeploymentSpecApplyConfiguration struct {
-	Replicas                *int32                                    `json:"replicas,omitempty"`
-	Selector                *metav1.LabelSelectorApplyConfiguration   `json:"selector,omitempty"`
-	Template                *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
-	Strategy                *DeploymentStrategyApplyConfiguration     `json:"strategy,omitempty"`
-	MinReadySeconds         *int32                                    `json:"minReadySeconds,omitempty"`
-	RevisionHistoryLimit    *int32                                    `json:"revisionHistoryLimit,omitempty"`
-	Paused                  *bool                                     `json:"paused,omitempty"`
-	ProgressDeadlineSeconds *int32                                    `json:"progressDeadlineSeconds,omitempty"`
+	// Number of desired pods. This is a pointer to distinguish between explicit
+	// zero and not specified. Defaults to 1.
+	Replicas *int32 `json:"replicas,omitempty"`
+	// Label selector for pods. Existing ReplicaSets whose pods are
+	// selected by this will be the ones affected by this deployment.
+	// It must match the pod template's labels.
+	Selector *metav1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// Template describes the pods that will be created.
+	// The only allowed template.spec.restartPolicy value is "Always".
+	Template *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
+	// The deployment strategy to use to replace existing pods with new ones.
+	Strategy *DeploymentStrategyApplyConfiguration `json:"strategy,omitempty"`
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	MinReadySeconds *int32 `json:"minReadySeconds,omitempty"`
+	// The number of old ReplicaSets to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 10.
+	RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty"`
+	// Indicates that the deployment is paused.
+	Paused *bool `json:"paused,omitempty"`
+	// The maximum time in seconds for a deployment to make progress before it
+	// is considered to be failed. The deployment controller will continue to
+	// process failed deployments and a condition with a ProgressDeadlineExceeded
+	// reason will be surfaced in the deployment status. Note that progress will
+	// not be estimated during the time a deployment is paused. Defaults to 600s.
+	ProgressDeadlineSeconds *int32 `json:"progressDeadlineSeconds,omitempty"`
 }

 // DeploymentSpecApplyConfiguration constructs a declarative configuration of the DeploymentSpec type for use with
--- a/applyconfigurations/apps/v1/deploymentstatus.go
+++ b/applyconfigurations/apps/v1/deploymentstatus.go
@@ -20,16 +20,34 @@ package v1

 // DeploymentStatusApplyConfiguration represents a declarative configuration of the DeploymentStatus type for use
 // with apply.
+//
+// DeploymentStatus is the most recently observed status of the Deployment.
 type DeploymentStatusApplyConfiguration struct {
-	ObservedGeneration  *int64                                  `json:"observedGeneration,omitempty"`
-	Replicas            *int32                                  `json:"replicas,omitempty"`
-	UpdatedReplicas     *int32                                  `json:"updatedReplicas,omitempty"`
-	ReadyReplicas       *int32                                  `json:"readyReplicas,omitempty"`
-	AvailableReplicas   *int32                                  `json:"availableReplicas,omitempty"`
-	UnavailableReplicas *int32                                  `json:"unavailableReplicas,omitempty"`
-	TerminatingReplicas *int32                                  `json:"terminatingReplicas,omitempty"`
-	Conditions          []DeploymentConditionApplyConfiguration `json:"conditions,omitempty"`
-	CollisionCount      *int32                                  `json:"collisionCount,omitempty"`
+	// The generation observed by the deployment controller.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// Total number of non-terminating pods targeted by this deployment (their labels match the selector).
+	Replicas *int32 `json:"replicas,omitempty"`
+	// Total number of non-terminating pods targeted by this deployment that have the desired template spec.
+	UpdatedReplicas *int32 `json:"updatedReplicas,omitempty"`
+	// Total number of non-terminating pods targeted by this Deployment with a Ready Condition.
+	ReadyReplicas *int32 `json:"readyReplicas,omitempty"`
+	// Total number of available non-terminating pods (ready for at least minReadySeconds) targeted by this deployment.
+	AvailableReplicas *int32 `json:"availableReplicas,omitempty"`
+	// Total number of unavailable pods targeted by this deployment. This is the total number of
+	// pods that are still required for the deployment to have 100% available capacity. They may
+	// either be pods that are running but not yet available or pods that still have not been created.
+	UnavailableReplicas *int32 `json:"unavailableReplicas,omitempty"`
+	// Total number of terminating pods targeted by this deployment. Terminating pods have a non-null
+	// .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.
+	//
+	// This is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).
+	TerminatingReplicas *int32 `json:"terminatingReplicas,omitempty"`
+	// Represents the latest available observations of a deployment's current state.
+	Conditions []DeploymentConditionApplyConfiguration `json:"conditions,omitempty"`
+	// Count of hash collisions for the Deployment. The Deployment controller uses this
+	// field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ReplicaSet.
+	CollisionCount *int32 `json:"collisionCount,omitempty"`
 }

 // DeploymentStatusApplyConfiguration constructs a declarative configuration of the DeploymentStatus type for use with
--- a/applyconfigurations/apps/v1/deploymentstrategy.go
+++ b/applyconfigurations/apps/v1/deploymentstrategy.go
@@ -24,8 +24,16 @@ import (

 // DeploymentStrategyApplyConfiguration represents a declarative configuration of the DeploymentStrategy type for use
 // with apply.
+//
+// DeploymentStrategy describes how to replace existing pods with new ones.
 type DeploymentStrategyApplyConfiguration struct {
-	Type          *appsv1.DeploymentStrategyType             `json:"type,omitempty"`
+	// Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
+	Type *appsv1.DeploymentStrategyType `json:"type,omitempty"`
+	// Rolling update config params. Present only if DeploymentStrategyType =
+	// RollingUpdate.
+	// ---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be.
 	RollingUpdate *RollingUpdateDeploymentApplyConfiguration `json:"rollingUpdate,omitempty"`
 }

--- a/applyconfigurations/apps/v1/replicaset.go
+++ b/applyconfigurations/apps/v1/replicaset.go
@@ -29,11 +29,24 @@ import (

 // ReplicaSetApplyConfiguration represents a declarative configuration of the ReplicaSet type for use
 // with apply.
+//
+// ReplicaSet ensures that a specified number of pod replicas are running at any given time.
 type ReplicaSetApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// If the Labels of a ReplicaSet are empty, they are defaulted to
+	// be the same as the Pod(s) that the ReplicaSet manages.
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ReplicaSetSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *ReplicaSetStatusApplyConfiguration `json:"status,omitempty"`
+	// Spec defines the specification of the desired behavior of the ReplicaSet.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *ReplicaSetSpecApplyConfiguration `json:"spec,omitempty"`
+	// Status is the most recently observed status of the ReplicaSet.
+	// This data may be out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *ReplicaSetStatusApplyConfiguration `json:"status,omitempty"`
 }

 // ReplicaSet constructs a declarative configuration of the ReplicaSet type for use with
@@ -47,29 +60,14 @@ func ReplicaSet(name, namespace string) *ReplicaSetApplyConfiguration {
 	return b
 }

-// ExtractReplicaSet extracts the applied configuration owned by fieldManager from
-// replicaSet. If no managedFields are found in replicaSet for fieldManager, a
-// ReplicaSetApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractReplicaSetFrom extracts the applied configuration owned by fieldManager from
+// replicaSet for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // replicaSet must be a unmodified ReplicaSet API object that was retrieved from the Kubernetes API.
-// ExtractReplicaSet provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractReplicaSetFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractReplicaSet(replicaSet *appsv1.ReplicaSet, fieldManager string) (*ReplicaSetApplyConfiguration, error) {
-	return extractReplicaSet(replicaSet, fieldManager, "")
-}
-
-// ExtractReplicaSetStatus is the same as ExtractReplicaSet except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractReplicaSetStatus(replicaSet *appsv1.ReplicaSet, fieldManager string) (*ReplicaSetApplyConfiguration, error) {
-	return extractReplicaSet(replicaSet, fieldManager, "status")
-}
-
-func extractReplicaSet(replicaSet *appsv1.ReplicaSet, fieldManager string, subresource string) (*ReplicaSetApplyConfiguration, error) {
+func ExtractReplicaSetFrom(replicaSet *appsv1.ReplicaSet, fieldManager string, subresource string) (*ReplicaSetApplyConfiguration, error) {
 	b := &ReplicaSetApplyConfiguration{}
 	err := managedfields.ExtractInto(replicaSet, internal.Parser().Type("io.k8s.api.apps.v1.ReplicaSet"), fieldManager, b, subresource)
 	if err != nil {
@@ -82,6 +80,33 @@ func extractReplicaSet(replicaSet *appsv1.ReplicaSet, fieldManager string, subre
 	b.WithAPIVersion("apps/v1")
 	return b, nil
 }
+
+// ExtractReplicaSet extracts the applied configuration owned by fieldManager from
+// replicaSet. If no managedFields are found in replicaSet for fieldManager, a
+// ReplicaSetApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// replicaSet must be a unmodified ReplicaSet API object that was retrieved from the Kubernetes API.
+// ExtractReplicaSet provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractReplicaSet(replicaSet *appsv1.ReplicaSet, fieldManager string) (*ReplicaSetApplyConfiguration, error) {
+	return ExtractReplicaSetFrom(replicaSet, fieldManager, "")
+}
+
+// ExtractReplicaSetScale extracts the applied configuration owned by fieldManager from
+// replicaSet for the scale subresource.
+func ExtractReplicaSetScale(replicaSet *appsv1.ReplicaSet, fieldManager string) (*ReplicaSetApplyConfiguration, error) {
+	return ExtractReplicaSetFrom(replicaSet, fieldManager, "scale")
+}
+
+// ExtractReplicaSetStatus extracts the applied configuration owned by fieldManager from
+// replicaSet for the status subresource.
+func ExtractReplicaSetStatus(replicaSet *appsv1.ReplicaSet, fieldManager string) (*ReplicaSetApplyConfiguration, error) {
+	return ExtractReplicaSetFrom(replicaSet, fieldManager, "status")
+}
+
 func (b ReplicaSetApplyConfiguration) IsApplyConfiguration() {}

 // WithKind sets the Kind field in the declarative configuration to the given value
--- a/applyconfigurations/apps/v1/replicasetcondition.go
+++ b/applyconfigurations/apps/v1/replicasetcondition.go
@@ -26,12 +26,19 @@ import (

 // ReplicaSetConditionApplyConfiguration represents a declarative configuration of the ReplicaSetCondition type for use
 // with apply.
+//
+// ReplicaSetCondition describes the state of a replica set at a certain point.
 type ReplicaSetConditionApplyConfiguration struct {
-	Type               *appsv1.ReplicaSetConditionType `json:"type,omitempty"`
-	Status             *corev1.ConditionStatus         `json:"status,omitempty"`
-	LastTransitionTime *metav1.Time                    `json:"lastTransitionTime,omitempty"`
-	Reason             *string                         `json:"reason,omitempty"`
-	Message            *string                         `json:"message,omitempty"`
+	// Type of replica set condition.
+	Type *appsv1.ReplicaSetConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	Status *corev1.ConditionStatus `json:"status,omitempty"`
+	// The last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// The reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// A human readable message indicating details about the transition.
+	Message *string `json:"message,omitempty"`
 }

 // ReplicaSetConditionApplyConfiguration constructs a declarative configuration of the ReplicaSetCondition type for use with
--- a/applyconfigurations/apps/v1/replicasetspec.go
+++ b/applyconfigurations/apps/v1/replicasetspec.go
@@ -25,11 +25,27 @@ import (

 // ReplicaSetSpecApplyConfiguration represents a declarative configuration of the ReplicaSetSpec type for use
 // with apply.
+//
+// ReplicaSetSpec is the specification of a ReplicaSet.
 type ReplicaSetSpecApplyConfiguration struct {
-	Replicas        *int32                                    `json:"replicas,omitempty"`
-	MinReadySeconds *int32                                    `json:"minReadySeconds,omitempty"`
-	Selector        *metav1.LabelSelectorApplyConfiguration   `json:"selector,omitempty"`
-	Template        *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
+	// Replicas is the number of desired pods.
+	// This is a pointer to distinguish between explicit zero and unspecified.
+	// Defaults to 1.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset
+	Replicas *int32 `json:"replicas,omitempty"`
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	MinReadySeconds *int32 `json:"minReadySeconds,omitempty"`
+	// Selector is a label query over pods that should match the replica count.
+	// Label keys and values that must match in order to be controlled by this replica set.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	Selector *metav1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// Template is the object that describes the pod that will be created if
+	// insufficient replicas are detected.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/#pod-template
+	Template *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
 }

 // ReplicaSetSpecApplyConfiguration constructs a declarative configuration of the ReplicaSetSpec type for use with
--- a/applyconfigurations/apps/v1/replicasetstatus.go
+++ b/applyconfigurations/apps/v1/replicasetstatus.go
@@ -20,14 +20,27 @@ package v1

 // ReplicaSetStatusApplyConfiguration represents a declarative configuration of the ReplicaSetStatus type for use
 // with apply.
+//
+// ReplicaSetStatus represents the current status of a ReplicaSet.
 type ReplicaSetStatusApplyConfiguration struct {
-	Replicas             *int32                                  `json:"replicas,omitempty"`
-	FullyLabeledReplicas *int32                                  `json:"fullyLabeledReplicas,omitempty"`
-	ReadyReplicas        *int32                                  `json:"readyReplicas,omitempty"`
-	AvailableReplicas    *int32                                  `json:"availableReplicas,omitempty"`
-	TerminatingReplicas  *int32                                  `json:"terminatingReplicas,omitempty"`
-	ObservedGeneration   *int64                                  `json:"observedGeneration,omitempty"`
-	Conditions           []ReplicaSetConditionApplyConfiguration `json:"conditions,omitempty"`
+	// Replicas is the most recently observed number of non-terminating pods.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset
+	Replicas *int32 `json:"replicas,omitempty"`
+	// The number of non-terminating pods that have labels matching the labels of the pod template of the replicaset.
+	FullyLabeledReplicas *int32 `json:"fullyLabeledReplicas,omitempty"`
+	// The number of non-terminating pods targeted by this ReplicaSet with a Ready Condition.
+	ReadyReplicas *int32 `json:"readyReplicas,omitempty"`
+	// The number of available non-terminating pods (ready for at least minReadySeconds) for this replica set.
+	AvailableReplicas *int32 `json:"availableReplicas,omitempty"`
+	// The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp
+	// and have not yet reached the Failed or Succeeded .status.phase.
+	//
+	// This is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).
+	TerminatingReplicas *int32 `json:"terminatingReplicas,omitempty"`
+	// ObservedGeneration reflects the generation of the most recently observed ReplicaSet.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// Represents the latest available observations of a replica set's current state.
+	Conditions []ReplicaSetConditionApplyConfiguration `json:"conditions,omitempty"`
 }

 // ReplicaSetStatusApplyConfiguration constructs a declarative configuration of the ReplicaSetStatus type for use with
--- a/applyconfigurations/apps/v1/rollingupdatedaemonset.go
+++ b/applyconfigurations/apps/v1/rollingupdatedaemonset.go
@@ -24,9 +24,43 @@ import (

 // RollingUpdateDaemonSetApplyConfiguration represents a declarative configuration of the RollingUpdateDaemonSet type for use
 // with apply.
+//
+// Spec to control the desired behavior of daemon set rolling update.
 type RollingUpdateDaemonSetApplyConfiguration struct {
+	// The maximum number of DaemonSet pods that can be unavailable during the
+	// update. Value can be an absolute number (ex: 5) or a percentage of total
+	// number of DaemonSet pods at the start of the update (ex: 10%). Absolute
+	// number is calculated from percentage by rounding up.
+	// This cannot be 0 if MaxSurge is 0
+	// Default value is 1.
+	// Example: when this is set to 30%, at most 30% of the total number of nodes
+	// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+	// can have their pods stopped for an update at any given time. The update
+	// starts by stopping at most 30% of those DaemonSet pods and then brings
+	// up new DaemonSet pods in their place. Once the new pods are available,
+	// it then proceeds onto other DaemonSet pods, thus ensuring that at least
+	// 70% of original number of DaemonSet pods are available at all times during
+	// the update.
 	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty"`
-	MaxSurge       *intstr.IntOrString `json:"maxSurge,omitempty"`
+	// The maximum number of nodes with an existing available DaemonSet pod that
+	// can have an updated DaemonSet pod during during an update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// This can not be 0 if MaxUnavailable is 0.
+	// Absolute number is calculated from percentage by rounding up to a minimum of 1.
+	// Default value is 0.
+	// Example: when this is set to 30%, at most 30% of the total number of nodes
+	// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+	// can have their a new pod created before the old pod is marked as deleted.
+	// The update starts by launching new pods on 30% of nodes. Once an updated
+	// pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
+	// on that node is marked deleted. If the old pod becomes unavailable for any
+	// reason (Ready transitions to false, is evicted, or is drained) an updated
+	// pod is immediately created on that node without considering surge limits.
+	// Allowing surge implies the possibility that the resources consumed by the
+	// daemonset on any given node can double if the readiness check fails, and
+	// so resource intensive daemonsets should take into account that they may
+	// cause evictions during disruption.
+	MaxSurge *intstr.IntOrString `json:"maxSurge,omitempty"`
 }

 // RollingUpdateDaemonSetApplyConfiguration constructs a declarative configuration of the RollingUpdateDaemonSet type for use with
--- a/applyconfigurations/apps/v1/rollingupdatedeployment.go
+++ b/applyconfigurations/apps/v1/rollingupdatedeployment.go
@@ -24,9 +24,32 @@ import (

 // RollingUpdateDeploymentApplyConfiguration represents a declarative configuration of the RollingUpdateDeployment type for use
 // with apply.
+//
+// Spec to control the desired behavior of rolling update.
 type RollingUpdateDeploymentApplyConfiguration struct {
+	// The maximum number of pods that can be unavailable during the update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// Absolute number is calculated from percentage by rounding down.
+	// This can not be 0 if MaxSurge is 0.
+	// Defaults to 25%.
+	// Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
+	// immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
+	// can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
+	// that the total number of pods available at all times during the update is at
+	// least 70% of desired pods.
 	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty"`
-	MaxSurge       *intstr.IntOrString `json:"maxSurge,omitempty"`
+	// The maximum number of pods that can be scheduled above the desired number of
+	// pods.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// This can not be 0 if MaxUnavailable is 0.
+	// Absolute number is calculated from percentage by rounding up.
+	// Defaults to 25%.
+	// Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
+	// the rolling update starts, such that the total number of old and new pods do not exceed
+	// 130% of desired pods. Once old pods have been killed,
+	// new ReplicaSet can be scaled up further, ensuring that total number of pods running
+	// at any time during the update is at most 130% of desired pods.
+	MaxSurge *intstr.IntOrString `json:"maxSurge,omitempty"`
 }

 // RollingUpdateDeploymentApplyConfiguration constructs a declarative configuration of the RollingUpdateDeployment type for use with
--- a/applyconfigurations/apps/v1/rollingupdatestatefulsetstrategy.go
+++ b/applyconfigurations/apps/v1/rollingupdatestatefulsetstrategy.go
@@ -24,8 +24,21 @@ import (

 // RollingUpdateStatefulSetStrategyApplyConfiguration represents a declarative configuration of the RollingUpdateStatefulSetStrategy type for use
 // with apply.
+//
+// RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.
 type RollingUpdateStatefulSetStrategyApplyConfiguration struct {
-	Partition      *int32              `json:"partition,omitempty"`
+	// Partition indicates the ordinal at which the StatefulSet should be partitioned
+	// for updates. During a rolling update, all pods from ordinal Replicas-1 to
+	// Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched.
+	// This is helpful in being able to do a canary based deployment. The default value is 0.
+	Partition *int32 `json:"partition,omitempty"`
+	// The maximum number of pods that can be unavailable during the update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// Absolute number is calculated from percentage by rounding up. This can not be 0.
+	// Defaults to 1. This field is beta-level and is enabled by default. The field applies to all pods in the range 0 to
+	// Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it
+	// will be counted towards MaxUnavailable.
+	// This setting might not be effective for the OrderedReady podManagementPolicy. That policy ensures pods are created and become ready one at a time.
 	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty"`
 }

--- a/applyconfigurations/apps/v1/statefulset.go
+++ b/applyconfigurations/apps/v1/statefulset.go
@@ -29,11 +29,24 @@ import (

 // StatefulSetApplyConfiguration represents a declarative configuration of the StatefulSet type for use
 // with apply.
+//
+// StatefulSet represents a set of pods with consistent identities.
+// Identities are defined as:
+// - Network: A single stable DNS and hostname.
+// - Storage: As many VolumeClaims as requested.
+//
+// The StatefulSet guarantees that a given network identity will always
+// map to the same storage identity.
 type StatefulSetApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *StatefulSetSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *StatefulSetStatusApplyConfiguration `json:"status,omitempty"`
+	// Spec defines the desired identities of pods in this set.
+	Spec *StatefulSetSpecApplyConfiguration `json:"spec,omitempty"`
+	// Status is the current status of Pods in this StatefulSet. This data
+	// may be out of date by some window of time.
+	Status *StatefulSetStatusApplyConfiguration `json:"status,omitempty"`
 }

 // StatefulSet constructs a declarative configuration of the StatefulSet type for use with
@@ -47,29 +60,14 @@ func StatefulSet(name, namespace string) *StatefulSetApplyConfiguration {
 	return b
 }

-// ExtractStatefulSet extracts the applied configuration owned by fieldManager from
-// statefulSet. If no managedFields are found in statefulSet for fieldManager, a
-// StatefulSetApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractStatefulSetFrom extracts the applied configuration owned by fieldManager from
+// statefulSet for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // statefulSet must be a unmodified StatefulSet API object that was retrieved from the Kubernetes API.
-// ExtractStatefulSet provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractStatefulSetFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractStatefulSet(statefulSet *appsv1.StatefulSet, fieldManager string) (*StatefulSetApplyConfiguration, error) {
-	return extractStatefulSet(statefulSet, fieldManager, "")
-}
-
-// ExtractStatefulSetStatus is the same as ExtractStatefulSet except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractStatefulSetStatus(statefulSet *appsv1.StatefulSet, fieldManager string) (*StatefulSetApplyConfiguration, error) {
-	return extractStatefulSet(statefulSet, fieldManager, "status")
-}
-
-func extractStatefulSet(statefulSet *appsv1.StatefulSet, fieldManager string, subresource string) (*StatefulSetApplyConfiguration, error) {
+func ExtractStatefulSetFrom(statefulSet *appsv1.StatefulSet, fieldManager string, subresource string) (*StatefulSetApplyConfiguration, error) {
 	b := &StatefulSetApplyConfiguration{}
 	err := managedfields.ExtractInto(statefulSet, internal.Parser().Type("io.k8s.api.apps.v1.StatefulSet"), fieldManager, b, subresource)
 	if err != nil {
@@ -82,6 +80,33 @@ func extractStatefulSet(statefulSet *appsv1.StatefulSet, fieldManager string, su
 	b.WithAPIVersion("apps/v1")
 	return b, nil
 }
+
+// ExtractStatefulSet extracts the applied configuration owned by fieldManager from
+// statefulSet. If no managedFields are found in statefulSet for fieldManager, a
+// StatefulSetApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// statefulSet must be a unmodified StatefulSet API object that was retrieved from the Kubernetes API.
+// ExtractStatefulSet provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractStatefulSet(statefulSet *appsv1.StatefulSet, fieldManager string) (*StatefulSetApplyConfiguration, error) {
+	return ExtractStatefulSetFrom(statefulSet, fieldManager, "")
+}
+
+// ExtractStatefulSetScale extracts the applied configuration owned by fieldManager from
+// statefulSet for the scale subresource.
+func ExtractStatefulSetScale(statefulSet *appsv1.StatefulSet, fieldManager string) (*StatefulSetApplyConfiguration, error) {
+	return ExtractStatefulSetFrom(statefulSet, fieldManager, "scale")
+}
+
+// ExtractStatefulSetStatus extracts the applied configuration owned by fieldManager from
+// statefulSet for the status subresource.
+func ExtractStatefulSetStatus(statefulSet *appsv1.StatefulSet, fieldManager string) (*StatefulSetApplyConfiguration, error) {
+	return ExtractStatefulSetFrom(statefulSet, fieldManager, "status")
+}
+
 func (b StatefulSetApplyConfiguration) IsApplyConfiguration() {}

 // WithKind sets the Kind field in the declarative configuration to the given value
--- a/applyconfigurations/apps/v1/statefulsetcondition.go
+++ b/applyconfigurations/apps/v1/statefulsetcondition.go
@@ -26,12 +26,19 @@ import (

 // StatefulSetConditionApplyConfiguration represents a declarative configuration of the StatefulSetCondition type for use
 // with apply.
+//
+// StatefulSetCondition describes the state of a statefulset at a certain point.
 type StatefulSetConditionApplyConfiguration struct {
-	Type               *appsv1.StatefulSetConditionType `json:"type,omitempty"`
-	Status             *corev1.ConditionStatus          `json:"status,omitempty"`
-	LastTransitionTime *metav1.Time                     `json:"lastTransitionTime,omitempty"`
-	Reason             *string                          `json:"reason,omitempty"`
-	Message            *string                          `json:"message,omitempty"`
+	// Type of statefulset condition.
+	Type *appsv1.StatefulSetConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	Status *corev1.ConditionStatus `json:"status,omitempty"`
+	// Last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// The reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// A human readable message indicating details about the transition.
+	Message *string `json:"message,omitempty"`
 }

 // StatefulSetConditionApplyConfiguration constructs a declarative configuration of the StatefulSetCondition type for use with
--- a/Show More
+++ b/Show More