Merge pull request #138260 from liggitt/inline-json

use `json:""` consistently for inlined fields

Kubernetes-commit: 12484ce715d4c2030d894ebb2841e2cb027db7d0

ARCHITECTURE.md

@@ -0,0 +1,162 @@
+# `client-go` Architecture
+
+This document explains the internal architecture of `client-go` for contributors. It describes the
+major components, how they interact, and the key design decisions that shape the library.
+
+## Client Configuration
+
+There is an architectural separation between loading client configuration and using it. The
+`rest.Config` object is the in-memory representation of this configuration. The
+`tools/clientcmd` package is the standard factory for producing it. `clientcmd` handles the
+complex logic of parsing `kubeconfig` files, merging contexts, and handling external
+authentication providers (e.g., OIDC).
+
+## REST Client
+
+The `rest.Client` is the foundational HTTP client that underpins all other clients. It separates
+the low-level concerns of HTTP transport, serialization, and error handling from higher-level,
+Kubernetes-specific object logic.
+
+The `rest.Config` object is used to build the underlying HTTP transport, which is typically a
+chain of `http.RoundTripper` objects. Each element in the chain is responsible for a specific
+task, such as adding an `Authorization` header. This is the mechanism by which all authentication
+is injected into requests.
+
+The client uses a builder pattern for requests (e.g., `.Verb()`, `.Resource()`), deferring
+response processing until a method like `.Into(&pod)` is called. This separation is key to
+supporting different client models from a common base.
+
+### Endpoint Interactions
+
+*   **Content Negotiation:** The client uses HTTP `Accept` headers to negotiate the wire format
+    (JSON or Protobuf). A key performance optimization using this mechanism is the ability to
+    request metadata-only objects via the `as=PartialObjectMetadata;g=meta.k8s.io;v=v1` Accept custom parameter.
+    Also the `as=Table;g=meta.k8s.io;v=v1` Accept custom parameters may be used to request lists as tables. 
+*   **Subresources:** The client can target standard subresources like `/status` or `/scale` for
+    object mutations, and it can also handle action-oriented subresources like `/logs` or
+    `/exec`, which often involve streaming data.
+*   **List Pagination:** For `LIST` requests, the client can specify a `limit`. The server will
+    return up to that many items and, if more exist, a `continue` token. The client is
+    responsible for passing this token in a subsequent request to retrieve the next page.
+    Higher-level tools like the `Reflector`'s `ListerWatcher` handle this logic automatically.
+*   **Streaming Watches:** A `WATCH` request returns a `watch.Interface` (from
+    `k8s.io/apimachinery/pkg/watch`), which provides a channel of structured `watch.Event`
+    objects (`ADDED`, `MODIFIED`, `DELETED`, `BOOKMARK`). This decouples the watch consumer from
+    the underlying streaming protocol.
+
+### Errors, Warnings, and Rate Limiting
+
+*   **Structured Errors:** The client deserializes non-2xx responses into a structured
+    `errors.StatusError`, enabling programmatic error handling (e.g., `errors.IsNotFound(err)`).
+*   **Warnings:** It processes non-fatal `Warning` headers from the API server via a
+    `WarningHandler`.
+*   **Client-Side Rate Limiting:** The `QPS` and `Burst` settings in `rest.Config` are the
+    client's half of the contract with the server's API Priority and Fairness system.
+*   **Server-Side Throttling:** The client's default transport automatically handles HTTP `429`
+    responses by reading the `Retry-After` header, waiting, and retrying the request.
+
+## Typed and Dynamic Clients
+
+To handle the extensible nature of the Kubernetes API, `client-go` provides two primary client
+models.
+
+The **`kubernetes.Clientset`** provides compile-time, type-safe access to core, built-in APIs.
+
+The **`dynamic.DynamicClient`** represents all objects as `unstructured.Unstructured`, allowing it
+to interact with any API resource, including CRDs. It relies on two discovery mechanisms:
+1.  The **`discovery.DiscoveryClient`** determines *what* resources exist. The
+    **`CachedDiscoveryClient`** is an optimization that caches this data on disk to solve.
+2.  The **OpenAPI schema** (fetched from `/openapi/v3`) describes the *structure* of those
+    resources, providing the schema awareness needed by the dynamic client.
+
+## Code Generation
+
+A core architectural principle of `client-go` is the use of code generation to provide a
+strongly-typed, compile-time-safe interface for specific API GroupVersions. This makes
+controller code more robust and easier to maintain. The tools in `k8s.io/code-generator` produce
+several key components:
+
+*   **Typed Clientsets:** The primary interface for interacting with a specific GroupVersion.
+*   **Typed Listers:** The read-only, cached accessors used by controllers.
+*   **Typed Informers:** The machinery for populating the cache for a specific type.
+*   **Apply Configurations:** The type-safe builders for Server-Side Apply.
+
+A contributor modifying a built-in API type **must** run the code generation scripts to update all
+of these dependent components. For the Kubernetes project, `hack/update-codegen.sh` runs code generation.
+
+`sample-controller` shows how code generate can be configured to build custom controllers.
+
+## Controller Infrastructure
+
+The `tools/cache` package provides the core infrastructure for controllers, replacing a high-load,
+request-based pattern with a low-load, event-driven, cached model.
+
+The data flow is as follows:
+
+```mermaid
+graph TD
+    subgraph "Kubernetes API"
+        API_Server[API Server]
+    end
+
+    subgraph "client-go: Informer Mechanism"
+        Reflector("1. Reflector")
+        DeltaFIFO("2. DeltaFIFO")
+        Indexer["3. Indexer (Cache)"]
+        EventHandlers("4. Event Handlers")
+    end
+
+    subgraph "User Code"
+        WorkQueue["5. Work Queue"]
+        Controller("6. Controller")
+    end
+
+    API_Server -- LIST/WATCH --> Reflector
+    Reflector -- Puts changes into --> DeltaFIFO
+    DeltaFIFO -- Is popped by internal loop, which updates --> Indexer
+    Indexer -- Update triggers --> EventHandlers
+    EventHandlers -- Adds key to --> WorkQueue
+    WorkQueue -- Is processed by --> Controller
+    Controller -- Reads from cache via Lister --> Indexer
+```
+
+A **`Reflector`** performs a `LIST` to get a consistent snapshot of a resource, identified by a
+`resourceVersion`. It then starts a `WATCH` from that `resourceVersion` to receive a continuous
+stream of subsequent changes. The `Reflector`'s relist/rewatch loop is designed to solve the
+**"too old" `resourceVersion` error** by re-listing. To make this recovery more efficient, the
+`Reflector` consumes **watch bookmarks** from the server, which provide a more recent
+`resourceVersion` to restart from.
+
+The **`Lister`** is the primary, read-only, thread-safe interface for a controller's business
+logic to access the `Indexer`'s cache.
+
+## Controller Patterns
+
+The controller infrastructure is architecturally decoupled from the controller's business logic to
+ensure resiliency.
+
+The **`util/workqueue`** creates a critical boundary between event detection (the informer's job)
+and reconciliation (the controller's job). Informer event handlers only add an object's key to the
+work queue. This allows the controller to retry failed operations with exponential backoff without
+blocking the informer's watch stream.
+
+For high availability, the **`tools/leaderelection`** package provides the standard architectural
+solution to ensure single-writer semantics by having replicas compete to acquire a lock on a
+shared `Lease` object.
+
+## Server-Side Apply
+
+`client-go` provides a distinct architectural pattern for object mutation that aligns with the
+server's declarative model. This is a separate workflow from the traditional `get-modify-update`
+model that allows multiple controllers to safely co-manage the same object. The
+**`applyconfigurations`** package provides the generated, type-safe builder API used to
+construct the declarative patch.
+
+## Versioning and Compatibility
+
+`client-go` has a strict versioning relationship with the main Kubernetes repository. A `client-go`
+version `v0.X.Y` corresponds to the Kubernetes version `v1.X.Y`.
+
+The Kubernetes API has strong backward compatibility guarantees: a client built with an older
+version of `client-go` will work with a newer API server. However, the reverse is not guaranteed.
+A contributor must not break compatibility with supported versions of the Kubernetes API server.

OWNERS

@@ -9,6 +9,7 @@ approvers:
   - sttts
   - yliaog
   - jpbetz
+  - enj
 reviewers:
   - aojea
   - apelisse
@@ -21,6 +22,8 @@ reviewers:
   - sttts
   - yliaog
   - jpbetz
+  - jefftree
+  - enj
 labels:
   - sig/api-machinery
 emeritus_approvers:

README.md

@@ -1,3 +1,8 @@
+> ⚠️ **This is an automatically published [staged repository](https://git.k8s.io/kubernetes/staging#external-repository-staging-area) for Kubernetes**.   
+> Contributions, including issues and pull requests, should be made to the main Kubernetes repository: [https://github.com/kubernetes/kubernetes](https://github.com/kubernetes/kubernetes).  
+> This repository is read-only for importing, and not used for direct contributions.  
+> See [CONTRIBUTING.md](./CONTRIBUTING.md) for more details.
+
 # client-go
 
 Go clients for talking to a [kubernetes](http://kubernetes.io/) cluster.
@@ -75,14 +80,14 @@ We will backport bugfixes--but not new features--into older versions of
 
 #### Compatibility matrix
 
-|                               | Kubernetes 1.27 | Kubernetes 1.28 | Kubernetes 1.29 | Kubernetes 1.30 | Kubernetes 1.31 | Kubernetes 1.32 |
+|                               | Kubernetes 1.29 | Kubernetes 1.30 | Kubernetes 1.31 | Kubernetes 1.32 | Kubernetes 1.33 | Kubernetes 1.34 |
 | ----------------------------- | --------------- | --------------- | --------------- | --------------- | --------------- | --------------- |
-| `kubernetes-1.27.0`/`v0.27.0` | ✓               | +-              | +-              | +-              | +-              | +-              |
-| `kubernetes-1.28.0`/`v0.28.0` | +-              | ✓               | +-              | +-              | +-              | +-              |
-| `kubernetes-1.29.0`/`v0.29.0` | +-              | +-              | ✓               | +-              | +-              | +-              |
-| `kubernetes-1.30.0`/`v0.30.0` | +-              | +-              | +-              | ✓               | +-              | +-              |
-| `kubernetes-1.31.0`/`v0.31.0` | +-              | +-              | +-              | +-              | ✓               | +-              |
-| `kubernetes-1.32.0`/`v0.32.0` | +-              | +-              | +-              | +-              | +-              | ✓               |
+| `kubernetes-1.29.0`/`v0.29.0` | ✓               | +-              | +-              | +-              | +-              | +-              |
+| `kubernetes-1.30.0`/`v0.30.0` | +-              | ✓               | +-              | +-              | +-              | +-              |
+| `kubernetes-1.31.0`/`v0.31.0` | +-              | +-              | ✓               | +-              | +-              | +-              |
+| `kubernetes-1.32.0`/`v0.32.0` | +-              | +-              | +-              | ✓               | +-              | +-              |
+| `kubernetes-1.33.0`/`v0.33.0` | +-              | +-              | +-              | +-              | ✓               | +-              |
+| `kubernetes-1.34.0`/`v0.34.0` | +-              | +-              | +-              | +-              | +-              | ✓               |
 | `HEAD`                        | +-              | +-              | +-              | +-              | +-              | +-              |
 
 Key:
@@ -104,16 +109,16 @@ between client-go versions.
 
 | Branch         | Canonical source code location      | Maintenance status |
 | -------------- | ----------------------------------- | ------------------ |
-| `release-1.23` | Kubernetes main repo, 1.23 branch   | =-                 |
-| `release-1.24` | Kubernetes main repo, 1.24 branch   | =-                 |
 | `release-1.25` | Kubernetes main repo, 1.25 branch   | =-                 |
 | `release-1.26` | Kubernetes main repo, 1.26 branch   | =-                 |
 | `release-1.27` | Kubernetes main repo, 1.27 branch   | =-                 |
 | `release-1.28` | Kubernetes main repo, 1.28 branch   | =-                 |
-| `release-1.29` | Kubernetes main repo, 1.29 branch   | ✓                  |
-| `release-1.30` | Kubernetes main repo, 1.30 branch   | ✓                  |
-| `release-1.31` | Kubernetes main repo, 1.31 branch   | ✓                  |
+| `release-1.29` | Kubernetes main repo, 1.29 branch   | =-                 |
+| `release-1.30` | Kubernetes main repo, 1.30 branch   | =-                 |
+| `release-1.31` | Kubernetes main repo, 1.31 branch   | =                  |
 | `release-1.32` | Kubernetes main repo, 1.32 branch   | ✓                  |
+| `release-1.33` | Kubernetes main repo, 1.33 branch   | ✓                  |
+| `release-1.34` | Kubernetes main repo, 1.34 branch   | ✓                  |
 | client-go HEAD | Kubernetes main repo, master branch | ✓                  |
 
 Key:

applyconfigurations/admissionregistration/v1/applyconfiguration.go

@@ -0,0 +1,81 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+// ApplyConfigurationApplyConfiguration represents a declarative configuration of the ApplyConfiguration type for use
+// with apply.
+//
+// ApplyConfiguration defines the desired configuration values of an object.
+type ApplyConfigurationApplyConfiguration struct {
+	// expression will be evaluated by CEL to create an apply configuration.
+	// ref: https://github.com/google/cel-spec
+	//
+	// Apply configurations are declared in CEL using object initialization. For example, this CEL expression
+	// returns an apply configuration to set a single field:
+	//
+	// Object{
+	// spec: Object.spec{
+	// serviceAccountName: "example"
+	// }
+	// }
+	//
+	// Apply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of
+	// values not included in the apply configuration.
+	//
+	// CEL expressions have access to the object types needed to create apply configurations:
+	//
+	// - 'Object' - CEL type of the resource object.
+	// - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')
+	// - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')
+	//
+	// CEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:
+	//
+	// - 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// - 'oldObject' - The existing object. The value is null for CREATE requests.
+	// - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
+	// - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
+	// - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
+	// - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
+	// For example, a variable named 'foo' can be accessed as 'variables.foo'.
+	// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	//
+	// The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
+	// object. No other metadata properties are accessible.
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Required.
+	Expression *string `json:"expression,omitempty"`
+}
+
+// ApplyConfigurationApplyConfiguration constructs a declarative configuration of the ApplyConfiguration type for use with
+// apply.
+func ApplyConfiguration() *ApplyConfigurationApplyConfiguration {
+	return &ApplyConfigurationApplyConfiguration{}
+}
+
+// WithExpression sets the Expression field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Expression field is set to the value of the last call.
+func (b *ApplyConfigurationApplyConfiguration) WithExpression(value string) *ApplyConfigurationApplyConfiguration {
+	b.Expression = &value
+	return b
+}

applyconfigurations/admissionregistration/v1/auditannotation.go

@@ -20,8 +20,40 @@ package v1
 
 // AuditAnnotationApplyConfiguration represents a declarative configuration of the AuditAnnotation type for use
 // with apply.
+//
+// AuditAnnotation describes how to produce an audit annotation for an API request.
 type AuditAnnotationApplyConfiguration struct {
-	Key             *string `json:"key,omitempty"`
+	// key specifies the audit annotation key. The audit annotation keys of
+	// a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+	// name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+	//
+	// The key is combined with the resource name of the
+	// ValidatingAdmissionPolicy to construct an audit annotation key:
+	// "{ValidatingAdmissionPolicy name}/{key}".
+	//
+	// If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+	// and the same audit annotation key, the annotation key will be identical.
+	// In this case, the first annotation written with the key will be included
+	// in the audit event and all subsequent annotations with the same key
+	// will be discarded.
+	//
+	// Required.
+	Key *string `json:"key,omitempty"`
+	// valueExpression represents the expression which is evaluated by CEL to
+	// produce an audit annotation value. The expression must evaluate to either
+	// a string or null value. If the expression evaluates to a string, the
+	// audit annotation is included with the string value. If the expression
+	// evaluates to null or empty string the audit annotation will be omitted.
+	// The valueExpression may be no longer than 5kb in length.
+	// If the result of the valueExpression is more than 10kb in length, it
+	// will be truncated to 10kb.
+	//
+	// If multiple ValidatingAdmissionPolicyBinding resources match an
+	// API request, then the valueExpression will be evaluated for
+	// each binding. All unique values produced by the valueExpressions
+	// will be joined together in a comma-separated list.
+	//
+	// Required.
 	ValueExpression *string `json:"valueExpression,omitempty"`
 }
 

applyconfigurations/admissionregistration/v1/expressionwarning.go

@@ -20,9 +20,17 @@ package v1
 
 // ExpressionWarningApplyConfiguration represents a declarative configuration of the ExpressionWarning type for use
 // with apply.
+//
+// ExpressionWarning is a warning information that targets a specific expression.
 type ExpressionWarningApplyConfiguration struct {
+	// fieldRef is the path to the field that refers to the expression.
+	// For example, the reference to the expression of the first item of
+	// validations is "spec.validations[0].expression"
 	FieldRef *string `json:"fieldRef,omitempty"`
-	Warning  *string `json:"warning,omitempty"`
+	// warning contains the content of type checking information in a human-readable form.
+	// Each line of the warning contains the type that the expression is checked
+	// against, followed by the type check error from the compiler.
+	Warning *string `json:"warning,omitempty"`
 }
 
 // ExpressionWarningApplyConfiguration constructs a declarative configuration of the ExpressionWarning type for use with

applyconfigurations/admissionregistration/v1/jsonpatch.go

@@ -0,0 +1,105 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+// JSONPatchApplyConfiguration represents a declarative configuration of the JSONPatch type for use
+// with apply.
+//
+// JSONPatch defines a JSON Patch.
+type JSONPatchApplyConfiguration struct {
+	// expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/).
+	// ref: https://github.com/google/cel-spec
+	//
+	// expression must return an array of JSONPatch values.
+	//
+	// For example, this CEL expression returns a JSON patch to conditionally modify a value:
+	//
+	// [
+	// JSONPatch{op: "test", path: "/spec/example", value: "Red"},
+	// JSONPatch{op: "replace", path: "/spec/example", value: "Green"}
+	// ]
+	//
+	// To define an object for the patch value, use Object types. For example:
+	//
+	// [
+	// JSONPatch{
+	// op: "add",
+	// path: "/spec/selector",
+	// value: Object.spec.selector{matchLabels: {"environment": "test"}}
+	// }
+	// ]
+	//
+	// To use strings containing '/' and '~' as JSONPatch path keys, use "jsonpatch.escapeKey". For example:
+	//
+	// [
+	// JSONPatch{
+	// op: "add",
+	// path: "/metadata/labels/" + jsonpatch.escapeKey("example.com/environment"),
+	// value: "test"
+	// },
+	// ]
+	//
+	// CEL expressions have access to the types needed to create JSON patches and objects:
+	//
+	// - 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.
+	// See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,
+	// integer, array, map or object.  If set, the 'path' and 'from' fields must be set to a
+	// [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL
+	// function may be used to escape path keys containing '/' and '~'.
+	// - 'Object' - CEL type of the resource object.
+	// - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')
+	// - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')
+	//
+	// CEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:
+	//
+	// - 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// - 'oldObject' - The existing object. The value is null for CREATE requests.
+	// - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
+	// - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
+	// - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
+	// - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
+	// For example, a variable named 'foo' can be accessed as 'variables.foo'.
+	// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	//
+	// CEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries)
+	// as well as:
+	//
+	// - 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and  '/' are escaped as '~0' and `~1' respectively).
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Required.
+	Expression *string `json:"expression,omitempty"`
+}
+
+// JSONPatchApplyConfiguration constructs a declarative configuration of the JSONPatch type for use with
+// apply.
+func JSONPatch() *JSONPatchApplyConfiguration {
+	return &JSONPatchApplyConfiguration{}
+}
+
+// WithExpression sets the Expression field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Expression field is set to the value of the last call.
+func (b *JSONPatchApplyConfiguration) WithExpression(value string) *JSONPatchApplyConfiguration {
+	b.Expression = &value
+	return b
+}

applyconfigurations/admissionregistration/v1/matchcondition.go

@@ -20,8 +20,32 @@ package v1
 
 // MatchConditionApplyConfiguration represents a declarative configuration of the MatchCondition type for use
 // with apply.
+//
+// MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.
 type MatchConditionApplyConfiguration struct {
-	Name       *string `json:"name,omitempty"`
+	// name is an identifier for this match condition, used for strategic merging of MatchConditions,
+	// as well as providing an identifier for logging purposes. A good name should be descriptive of
+	// the associated expression.
+	// Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+	// must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+	// '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+	// optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+	//
+	// Required.
+	Name *string `json:"name,omitempty"`
+	// expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+	// CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+	//
+	// 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// 'oldObject' - The existing object. The value is null for CREATE requests.
+	// 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+	// 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+	//
+	// Required.
 	Expression *string `json:"expression,omitempty"`
 }
 

applyconfigurations/admissionregistration/v1/matchresources.go

@@ -25,12 +25,88 @@ import (
 
 // MatchResourcesApplyConfiguration represents a declarative configuration of the MatchResources type for use
 // with apply.
+//
+// MatchResources decides whether to run the admission control policy on an object based
+// on whether it meets the match criteria.
+// The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
 type MatchResourcesApplyConfiguration struct {
-	NamespaceSelector    *metav1.LabelSelectorApplyConfiguration     `json:"namespaceSelector,omitempty"`
-	ObjectSelector       *metav1.LabelSelectorApplyConfiguration     `json:"objectSelector,omitempty"`
-	ResourceRules        []NamedRuleWithOperationsApplyConfiguration `json:"resourceRules,omitempty"`
+	// namespaceSelector decides whether to run the admission control policy on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the policy.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "runlevel",
+	// "operator": "NotIn",
+	// "values": [
+	// "0",
+	// "1"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// If instead you want to only run the policy on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "environment",
+	// "operator": "In",
+	// "values": [
+	// "prod",
+	// "staging"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	NamespaceSelector *metav1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
+	// objectSelector decides whether to run the validation based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the cel validation, and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	ObjectSelector *metav1.LabelSelectorApplyConfiguration `json:"objectSelector,omitempty"`
+	// resourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.
+	// The policy cares about an operation if it matches _any_ Rule.
+	ResourceRules []NamedRuleWithOperationsApplyConfiguration `json:"resourceRules,omitempty"`
+	// excludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.
+	// The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
 	ExcludeResourceRules []NamedRuleWithOperationsApplyConfiguration `json:"excludeResourceRules,omitempty"`
-	MatchPolicy          *admissionregistrationv1.MatchPolicyType    `json:"matchPolicy,omitempty"`
+	// matchPolicy defines how the "MatchResources" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.
+	//
+	// Defaults to "Equivalent"
+	MatchPolicy *admissionregistrationv1.MatchPolicyType `json:"matchPolicy,omitempty"`
 }
 
 // MatchResourcesApplyConfiguration constructs a declarative configuration of the MatchResources type for use with

applyconfigurations/admissionregistration/v1/mutatingadmissionpolicy.go

@@ -0,0 +1,274 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+	apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	managedfields "k8s.io/apimachinery/pkg/util/managedfields"
+	internal "k8s.io/client-go/applyconfigurations/internal"
+	metav1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// MutatingAdmissionPolicyApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicy type for use
+// with apply.
+//
+// MutatingAdmissionPolicy describes the definition of an admission mutation policy that mutates the object coming into admission chain.
+type MutatingAdmissionPolicyApplyConfiguration struct {
+	metav1.TypeMetaApplyConfiguration `json:""`
+	// metadata is the standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
+	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
+	// spec defines the desired behavior of the MutatingAdmissionPolicy.
+	Spec *MutatingAdmissionPolicySpecApplyConfiguration `json:"spec,omitempty"`
+}
+
+// MutatingAdmissionPolicy constructs a declarative configuration of the MutatingAdmissionPolicy type for use with
+// apply.
+func MutatingAdmissionPolicy(name string) *MutatingAdmissionPolicyApplyConfiguration {
+	b := &MutatingAdmissionPolicyApplyConfiguration{}
+	b.WithName(name)
+	b.WithKind("MutatingAdmissionPolicy")
+	b.WithAPIVersion("admissionregistration.k8s.io/v1")
+	return b
+}
+
+// ExtractMutatingAdmissionPolicyFrom extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicy for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// mutatingAdmissionPolicy must be a unmodified MutatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
+// ExtractMutatingAdmissionPolicyFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractMutatingAdmissionPolicyFrom(mutatingAdmissionPolicy *admissionregistrationv1.MutatingAdmissionPolicy, fieldManager string, subresource string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
+	b := &MutatingAdmissionPolicyApplyConfiguration{}
+	err := managedfields.ExtractInto(mutatingAdmissionPolicy, internal.Parser().Type("io.k8s.api.admissionregistration.v1.MutatingAdmissionPolicy"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(mutatingAdmissionPolicy.Name)
+
+	b.WithKind("MutatingAdmissionPolicy")
+	b.WithAPIVersion("admissionregistration.k8s.io/v1")
+	return b, nil
+}
+
+// ExtractMutatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicy. If no managedFields are found in mutatingAdmissionPolicy for fieldManager, a
+// MutatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// mutatingAdmissionPolicy must be a unmodified MutatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
+// ExtractMutatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractMutatingAdmissionPolicy(mutatingAdmissionPolicy *admissionregistrationv1.MutatingAdmissionPolicy, fieldManager string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
+	return ExtractMutatingAdmissionPolicyFrom(mutatingAdmissionPolicy, fieldManager, "")
+}
+
+func (b MutatingAdmissionPolicyApplyConfiguration) IsApplyConfiguration() {}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyApplyConfiguration) WithKind(value string) *MutatingAdmissionPolicyApplyConfiguration {
+	b.TypeMetaApplyConfiguration.Kind = &value
+	return b
+}
+
+// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the APIVersion field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyApplyConfiguration) WithAPIVersion(value string) *MutatingAdmissionPolicyApplyConfiguration {
+	b.TypeMetaApplyConfiguration.APIVersion = &value
+	return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyApplyConfiguration) WithName(value string) *MutatingAdmissionPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Name = &value
+	return b
+}
+
+// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the GenerateName field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyApplyConfiguration) WithGenerateName(value string) *MutatingAdmissionPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.GenerateName = &value
+	return b
+}
+
+// WithNamespace sets the Namespace field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Namespace field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyApplyConfiguration) WithNamespace(value string) *MutatingAdmissionPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Namespace = &value
+	return b
+}
+
+// WithUID sets the UID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the UID field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyApplyConfiguration) WithUID(value types.UID) *MutatingAdmissionPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.UID = &value
+	return b
+}
+
+// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ResourceVersion field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyApplyConfiguration) WithResourceVersion(value string) *MutatingAdmissionPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.ResourceVersion = &value
+	return b
+}
+
+// WithGeneration sets the Generation field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Generation field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyApplyConfiguration) WithGeneration(value int64) *MutatingAdmissionPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Generation = &value
+	return b
+}
+
+// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CreationTimestamp field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyApplyConfiguration) WithCreationTimestamp(value apismetav1.Time) *MutatingAdmissionPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.CreationTimestamp = &value
+	return b
+}
+
+// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyApplyConfiguration) WithDeletionTimestamp(value apismetav1.Time) *MutatingAdmissionPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value
+	return b
+}
+
+// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *MutatingAdmissionPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value
+	return b
+}
+
+// WithLabels puts the entries into the Labels field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Labels field,
+// overwriting an existing map entries in Labels field with the same key.
+func (b *MutatingAdmissionPolicyApplyConfiguration) WithLabels(entries map[string]string) *MutatingAdmissionPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 {
+		b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.ObjectMetaApplyConfiguration.Labels[k] = v
+	}
+	return b
+}
+
+// WithAnnotations puts the entries into the Annotations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Annotations field,
+// overwriting an existing map entries in Annotations field with the same key.
+func (b *MutatingAdmissionPolicyApplyConfiguration) WithAnnotations(entries map[string]string) *MutatingAdmissionPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 {
+		b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.ObjectMetaApplyConfiguration.Annotations[k] = v
+	}
+	return b
+}
+
+// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
+func (b *MutatingAdmissionPolicyApplyConfiguration) WithOwnerReferences(values ...*metav1.OwnerReferenceApplyConfiguration) *MutatingAdmissionPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithOwnerReferences")
+		}
+		b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i])
+	}
+	return b
+}
+
+// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Finalizers field.
+func (b *MutatingAdmissionPolicyApplyConfiguration) WithFinalizers(values ...string) *MutatingAdmissionPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i])
+	}
+	return b
+}
+
+func (b *MutatingAdmissionPolicyApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
+	if b.ObjectMetaApplyConfiguration == nil {
+		b.ObjectMetaApplyConfiguration = &metav1.ObjectMetaApplyConfiguration{}
+	}
+}
+
+// WithSpec sets the Spec field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Spec field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyApplyConfiguration) WithSpec(value *MutatingAdmissionPolicySpecApplyConfiguration) *MutatingAdmissionPolicyApplyConfiguration {
+	b.Spec = value
+	return b
+}
+
+// GetKind retrieves the value of the Kind field in the declarative configuration.
+func (b *MutatingAdmissionPolicyApplyConfiguration) GetKind() *string {
+	return b.TypeMetaApplyConfiguration.Kind
+}
+
+// GetAPIVersion retrieves the value of the APIVersion field in the declarative configuration.
+func (b *MutatingAdmissionPolicyApplyConfiguration) GetAPIVersion() *string {
+	return b.TypeMetaApplyConfiguration.APIVersion
+}
+
+// GetName retrieves the value of the Name field in the declarative configuration.
+func (b *MutatingAdmissionPolicyApplyConfiguration) GetName() *string {
+	b.ensureObjectMetaApplyConfigurationExists()
+	return b.ObjectMetaApplyConfiguration.Name
+}
+
+// GetNamespace retrieves the value of the Namespace field in the declarative configuration.
+func (b *MutatingAdmissionPolicyApplyConfiguration) GetNamespace() *string {
+	b.ensureObjectMetaApplyConfigurationExists()
+	return b.ObjectMetaApplyConfiguration.Namespace
+}

applyconfigurations/admissionregistration/v1/mutatingadmissionpolicybinding.go

@@ -0,0 +1,284 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+	apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	managedfields "k8s.io/apimachinery/pkg/util/managedfields"
+	internal "k8s.io/client-go/applyconfigurations/internal"
+	metav1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// MutatingAdmissionPolicyBindingApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicyBinding type for use
+// with apply.
+//
+// MutatingAdmissionPolicyBinding binds the MutatingAdmissionPolicy with parametrized resources.
+// MutatingAdmissionPolicyBinding and the optional parameter resource together define how cluster administrators
+// configure policies for clusters.
+//
+// For a given admission request, each binding will cause its policy to be
+// evaluated N times, where N is 1 for policies/bindings that don't use
+// params, otherwise N is the number of parameters selected by the binding.
+// Each evaluation is constrained by a [runtime cost budget](https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget).
+//
+// Adding/removing policies, bindings, or params can not affect whether a
+// given (policy, binding, param) combination is within its own CEL budget.
+type MutatingAdmissionPolicyBindingApplyConfiguration struct {
+	metav1.TypeMetaApplyConfiguration `json:""`
+	// metadata is the standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
+	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
+	// spec defines the desired behavior of the MutatingAdmissionPolicyBinding.
+	Spec *MutatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
+}
+
+// MutatingAdmissionPolicyBinding constructs a declarative configuration of the MutatingAdmissionPolicyBinding type for use with
+// apply.
+func MutatingAdmissionPolicyBinding(name string) *MutatingAdmissionPolicyBindingApplyConfiguration {
+	b := &MutatingAdmissionPolicyBindingApplyConfiguration{}
+	b.WithName(name)
+	b.WithKind("MutatingAdmissionPolicyBinding")
+	b.WithAPIVersion("admissionregistration.k8s.io/v1")
+	return b
+}
+
+// ExtractMutatingAdmissionPolicyBindingFrom extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicyBinding for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// mutatingAdmissionPolicyBinding must be a unmodified MutatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
+// ExtractMutatingAdmissionPolicyBindingFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractMutatingAdmissionPolicyBindingFrom(mutatingAdmissionPolicyBinding *admissionregistrationv1.MutatingAdmissionPolicyBinding, fieldManager string, subresource string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
+	b := &MutatingAdmissionPolicyBindingApplyConfiguration{}
+	err := managedfields.ExtractInto(mutatingAdmissionPolicyBinding, internal.Parser().Type("io.k8s.api.admissionregistration.v1.MutatingAdmissionPolicyBinding"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(mutatingAdmissionPolicyBinding.Name)
+
+	b.WithKind("MutatingAdmissionPolicyBinding")
+	b.WithAPIVersion("admissionregistration.k8s.io/v1")
+	return b, nil
+}
+
+// ExtractMutatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicyBinding. If no managedFields are found in mutatingAdmissionPolicyBinding for fieldManager, a
+// MutatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// mutatingAdmissionPolicyBinding must be a unmodified MutatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
+// ExtractMutatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding *admissionregistrationv1.MutatingAdmissionPolicyBinding, fieldManager string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
+	return ExtractMutatingAdmissionPolicyBindingFrom(mutatingAdmissionPolicyBinding, fieldManager, "")
+}
+
+func (b MutatingAdmissionPolicyBindingApplyConfiguration) IsApplyConfiguration() {}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyBindingApplyConfiguration) WithKind(value string) *MutatingAdmissionPolicyBindingApplyConfiguration {
+	b.TypeMetaApplyConfiguration.Kind = &value
+	return b
+}
+
+// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the APIVersion field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyBindingApplyConfiguration) WithAPIVersion(value string) *MutatingAdmissionPolicyBindingApplyConfiguration {
+	b.TypeMetaApplyConfiguration.APIVersion = &value
+	return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyBindingApplyConfiguration) WithName(value string) *MutatingAdmissionPolicyBindingApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Name = &value
+	return b
+}
+
+// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the GenerateName field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyBindingApplyConfiguration) WithGenerateName(value string) *MutatingAdmissionPolicyBindingApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.GenerateName = &value
+	return b
+}
+
+// WithNamespace sets the Namespace field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Namespace field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyBindingApplyConfiguration) WithNamespace(value string) *MutatingAdmissionPolicyBindingApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Namespace = &value
+	return b
+}
+
+// WithUID sets the UID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the UID field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyBindingApplyConfiguration) WithUID(value types.UID) *MutatingAdmissionPolicyBindingApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.UID = &value
+	return b
+}
+
+// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ResourceVersion field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyBindingApplyConfiguration) WithResourceVersion(value string) *MutatingAdmissionPolicyBindingApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.ResourceVersion = &value
+	return b
+}
+
+// WithGeneration sets the Generation field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Generation field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyBindingApplyConfiguration) WithGeneration(value int64) *MutatingAdmissionPolicyBindingApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Generation = &value
+	return b
+}
+
+// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CreationTimestamp field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyBindingApplyConfiguration) WithCreationTimestamp(value apismetav1.Time) *MutatingAdmissionPolicyBindingApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.CreationTimestamp = &value
+	return b
+}
+
+// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyBindingApplyConfiguration) WithDeletionTimestamp(value apismetav1.Time) *MutatingAdmissionPolicyBindingApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value
+	return b
+}
+
+// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyBindingApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *MutatingAdmissionPolicyBindingApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value
+	return b
+}
+
+// WithLabels puts the entries into the Labels field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Labels field,
+// overwriting an existing map entries in Labels field with the same key.
+func (b *MutatingAdmissionPolicyBindingApplyConfiguration) WithLabels(entries map[string]string) *MutatingAdmissionPolicyBindingApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 {
+		b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.ObjectMetaApplyConfiguration.Labels[k] = v
+	}
+	return b
+}
+
+// WithAnnotations puts the entries into the Annotations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Annotations field,
+// overwriting an existing map entries in Annotations field with the same key.
+func (b *MutatingAdmissionPolicyBindingApplyConfiguration) WithAnnotations(entries map[string]string) *MutatingAdmissionPolicyBindingApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 {
+		b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.ObjectMetaApplyConfiguration.Annotations[k] = v
+	}
+	return b
+}
+
+// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
+func (b *MutatingAdmissionPolicyBindingApplyConfiguration) WithOwnerReferences(values ...*metav1.OwnerReferenceApplyConfiguration) *MutatingAdmissionPolicyBindingApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithOwnerReferences")
+		}
+		b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i])
+	}
+	return b
+}
+
+// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Finalizers field.
+func (b *MutatingAdmissionPolicyBindingApplyConfiguration) WithFinalizers(values ...string) *MutatingAdmissionPolicyBindingApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i])
+	}
+	return b
+}
+
+func (b *MutatingAdmissionPolicyBindingApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
+	if b.ObjectMetaApplyConfiguration == nil {
+		b.ObjectMetaApplyConfiguration = &metav1.ObjectMetaApplyConfiguration{}
+	}
+}
+
+// WithSpec sets the Spec field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Spec field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyBindingApplyConfiguration) WithSpec(value *MutatingAdmissionPolicyBindingSpecApplyConfiguration) *MutatingAdmissionPolicyBindingApplyConfiguration {
+	b.Spec = value
+	return b
+}
+
+// GetKind retrieves the value of the Kind field in the declarative configuration.
+func (b *MutatingAdmissionPolicyBindingApplyConfiguration) GetKind() *string {
+	return b.TypeMetaApplyConfiguration.Kind
+}
+
+// GetAPIVersion retrieves the value of the APIVersion field in the declarative configuration.
+func (b *MutatingAdmissionPolicyBindingApplyConfiguration) GetAPIVersion() *string {
+	return b.TypeMetaApplyConfiguration.APIVersion
+}
+
+// GetName retrieves the value of the Name field in the declarative configuration.
+func (b *MutatingAdmissionPolicyBindingApplyConfiguration) GetName() *string {
+	b.ensureObjectMetaApplyConfigurationExists()
+	return b.ObjectMetaApplyConfiguration.Name
+}
+
+// GetNamespace retrieves the value of the Namespace field in the declarative configuration.
+func (b *MutatingAdmissionPolicyBindingApplyConfiguration) GetNamespace() *string {
+	b.ensureObjectMetaApplyConfigurationExists()
+	return b.ObjectMetaApplyConfiguration.Namespace
+}

applyconfigurations/admissionregistration/v1/mutatingadmissionpolicybindingspec.go

@@ -0,0 +1,75 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+// MutatingAdmissionPolicyBindingSpecApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicyBindingSpec type for use
+// with apply.
+//
+// MutatingAdmissionPolicyBindingSpec defines the specification of the MutatingAdmissionPolicyBinding.
+type MutatingAdmissionPolicyBindingSpecApplyConfiguration struct {
+	// policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to.
+	// If the referenced resource does not exist, this binding is considered invalid and will be ignored
+	// Required.
+	PolicyName *string `json:"policyName,omitempty"`
+	// paramRef specifies the parameter resource used to configure the admission control policy.
+	// It should point to a resource of the type specified in spec.ParamKind of the bound MutatingAdmissionPolicy.
+	// If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the MutatingAdmissionPolicy applied.
+	// If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.
+	ParamRef *ParamRefApplyConfiguration `json:"paramRef,omitempty"`
+	// matchResources limits what resources match this binding and may be mutated by it.
+	// Note that if matchResources matches a resource, the resource must also match a policy's matchConstraints and
+	// matchConditions before the resource may be mutated.
+	// When matchResources is unset, it does not constrain resource matching, and only the policy's matchConstraints
+	// and matchConditions must match for the resource to be mutated.
+	// Additionally, matchResources.resourceRules are optional and do not constraint matching when unset.
+	// Note that this is differs from MutatingAdmissionPolicy matchConstraints, where resourceRules are required.
+	// The CREATE, UPDATE and CONNECT operations are allowed.  The DELETE operation may not be matched.
+	// '*' matches CREATE, UPDATE and CONNECT.
+	MatchResources *MatchResourcesApplyConfiguration `json:"matchResources,omitempty"`
+}
+
+// MutatingAdmissionPolicyBindingSpecApplyConfiguration constructs a declarative configuration of the MutatingAdmissionPolicyBindingSpec type for use with
+// apply.
+func MutatingAdmissionPolicyBindingSpec() *MutatingAdmissionPolicyBindingSpecApplyConfiguration {
+	return &MutatingAdmissionPolicyBindingSpecApplyConfiguration{}
+}
+
+// WithPolicyName sets the PolicyName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the PolicyName field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyBindingSpecApplyConfiguration) WithPolicyName(value string) *MutatingAdmissionPolicyBindingSpecApplyConfiguration {
+	b.PolicyName = &value
+	return b
+}
+
+// WithParamRef sets the ParamRef field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ParamRef field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyBindingSpecApplyConfiguration) WithParamRef(value *ParamRefApplyConfiguration) *MutatingAdmissionPolicyBindingSpecApplyConfiguration {
+	b.ParamRef = value
+	return b
+}
+
+// WithMatchResources sets the MatchResources field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the MatchResources field is set to the value of the last call.
+func (b *MutatingAdmissionPolicyBindingSpecApplyConfiguration) WithMatchResources(value *MatchResourcesApplyConfiguration) *MutatingAdmissionPolicyBindingSpecApplyConfiguration {
+	b.MatchResources = value
+	return b
+}

applyconfigurations/admissionregistration/v1/mutatingadmissionpolicyspec.go

@@ -0,0 +1,172 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+)
+
+// MutatingAdmissionPolicySpecApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicySpec type for use
+// with apply.
+//
+// MutatingAdmissionPolicySpec defines the desired behavior of the admission policy.
+type MutatingAdmissionPolicySpecApplyConfiguration struct {
+	// paramKind specifies the kind of resources used to parameterize this policy.
+	// If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
+	// If paramKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
+	// If paramKind is specified but paramRef is unset in MutatingAdmissionPolicyBinding, the params variable will be null.
+	ParamKind *ParamKindApplyConfiguration `json:"paramKind,omitempty"`
+	// matchConstraints specifies what resources this policy is designed to validate.
+	// The MutatingAdmissionPolicy cares about a request if it matches _all_ Constraints.
+	// However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
+	// MutatingAdmissionPolicy cannot match MutatingAdmissionPolicy and MutatingAdmissionPolicyBinding.
+	// The CREATE, UPDATE and CONNECT operations are allowed.  The DELETE operation may not be matched.
+	// '*' matches CREATE, UPDATE and CONNECT.
+	// Required.
+	MatchConstraints *MatchResourcesApplyConfiguration `json:"matchConstraints,omitempty"`
+	// variables contain definitions of variables that can be used in composition of other expressions.
+	// Each variable is defined as a named CEL expression.
+	// The variables defined here will be available under `variables` in other expressions of the policy
+	// except matchConditions because matchConditions are evaluated before the rest of the policy.
+	//
+	// The expression of a variable can refer to other variables defined earlier in the list but not those after.
+	// Thus, variables must be sorted by the order of first appearance and acyclic.
+	Variables []VariableApplyConfiguration `json:"variables,omitempty"`
+	// mutations contain operations to perform on matching objects.
+	// mutations may not be empty; a minimum of one mutation is required.
+	// mutations are evaluated in order, and are reinvoked according to
+	// the reinvocationPolicy.
+	// The mutations of a policy are invoked for each binding of this policy
+	// and reinvocation of mutations occurs on a per binding basis.
+	Mutations []MutationApplyConfiguration `json:"mutations,omitempty"`
+	// failurePolicy defines how to handle failures for the admission policy. Failures can
+	// occur from CEL expression parse errors, type check errors, runtime errors and invalid
+	// or mis-configured policy definitions or bindings.
+	//
+	// A policy is invalid if paramKind refers to a non-existent Kind.
+	// A binding is invalid if paramRef.name refers to a non-existent resource.
+	//
+	// failurePolicy does not define how validations that evaluate to false are handled.
+	//
+	// Allowed values are Ignore or Fail. Defaults to Fail.
+	FailurePolicy *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// matchConditions is a list of conditions that must be met for a request to be validated.
+	// Match conditions filter requests that have already been matched by the matchConstraints.
+	// An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// If a parameter object is provided, it can be accessed via the `params` handle in the same
+	// manner as validation expressions.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the policy is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
+	// reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding
+	// as part of a single admission evaluation.
+	// Allowed values are "Never" and "IfNeeded".
+	//
+	// Never: These mutations will not be called more than once per binding in a single admission evaluation.
+	//
+	// IfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of
+	// order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies.  Mutations are only
+	// reinvoked when mutations change the object after this mutation is invoked.
+	// Required.
+	ReinvocationPolicy *admissionregistrationv1.ReinvocationPolicyType `json:"reinvocationPolicy,omitempty"`
+}
+
+// MutatingAdmissionPolicySpecApplyConfiguration constructs a declarative configuration of the MutatingAdmissionPolicySpec type for use with
+// apply.
+func MutatingAdmissionPolicySpec() *MutatingAdmissionPolicySpecApplyConfiguration {
+	return &MutatingAdmissionPolicySpecApplyConfiguration{}
+}
+
+// WithParamKind sets the ParamKind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ParamKind field is set to the value of the last call.
+func (b *MutatingAdmissionPolicySpecApplyConfiguration) WithParamKind(value *ParamKindApplyConfiguration) *MutatingAdmissionPolicySpecApplyConfiguration {
+	b.ParamKind = value
+	return b
+}
+
+// WithMatchConstraints sets the MatchConstraints field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the MatchConstraints field is set to the value of the last call.
+func (b *MutatingAdmissionPolicySpecApplyConfiguration) WithMatchConstraints(value *MatchResourcesApplyConfiguration) *MutatingAdmissionPolicySpecApplyConfiguration {
+	b.MatchConstraints = value
+	return b
+}
+
+// WithVariables adds the given value to the Variables field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Variables field.
+func (b *MutatingAdmissionPolicySpecApplyConfiguration) WithVariables(values ...*VariableApplyConfiguration) *MutatingAdmissionPolicySpecApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithVariables")
+		}
+		b.Variables = append(b.Variables, *values[i])
+	}
+	return b
+}
+
+// WithMutations adds the given value to the Mutations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Mutations field.
+func (b *MutatingAdmissionPolicySpecApplyConfiguration) WithMutations(values ...*MutationApplyConfiguration) *MutatingAdmissionPolicySpecApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithMutations")
+		}
+		b.Mutations = append(b.Mutations, *values[i])
+	}
+	return b
+}
+
+// WithFailurePolicy sets the FailurePolicy field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the FailurePolicy field is set to the value of the last call.
+func (b *MutatingAdmissionPolicySpecApplyConfiguration) WithFailurePolicy(value admissionregistrationv1.FailurePolicyType) *MutatingAdmissionPolicySpecApplyConfiguration {
+	b.FailurePolicy = &value
+	return b
+}
+
+// WithMatchConditions adds the given value to the MatchConditions field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the MatchConditions field.
+func (b *MutatingAdmissionPolicySpecApplyConfiguration) WithMatchConditions(values ...*MatchConditionApplyConfiguration) *MutatingAdmissionPolicySpecApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithMatchConditions")
+		}
+		b.MatchConditions = append(b.MatchConditions, *values[i])
+	}
+	return b
+}
+
+// WithReinvocationPolicy sets the ReinvocationPolicy field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ReinvocationPolicy field is set to the value of the last call.
+func (b *MutatingAdmissionPolicySpecApplyConfiguration) WithReinvocationPolicy(value admissionregistrationv1.ReinvocationPolicyType) *MutatingAdmissionPolicySpecApplyConfiguration {
+	b.ReinvocationPolicy = &value
+	return b
+}

applyconfigurations/admissionregistration/v1/mutatingwebhook.go

@@ -25,19 +25,148 @@ import (
 
 // MutatingWebhookApplyConfiguration represents a declarative configuration of the MutatingWebhook type for use
 // with apply.
+//
+// MutatingWebhook describes an admission webhook and the resources and operations it applies to.
 type MutatingWebhookApplyConfiguration struct {
-	Name                    *string                                         `json:"name,omitempty"`
-	ClientConfig            *WebhookClientConfigApplyConfiguration          `json:"clientConfig,omitempty"`
-	Rules                   []RuleWithOperationsApplyConfiguration          `json:"rules,omitempty"`
-	FailurePolicy           *admissionregistrationv1.FailurePolicyType      `json:"failurePolicy,omitempty"`
-	MatchPolicy             *admissionregistrationv1.MatchPolicyType        `json:"matchPolicy,omitempty"`
-	NamespaceSelector       *metav1.LabelSelectorApplyConfiguration         `json:"namespaceSelector,omitempty"`
-	ObjectSelector          *metav1.LabelSelectorApplyConfiguration         `json:"objectSelector,omitempty"`
-	SideEffects             *admissionregistrationv1.SideEffectClass        `json:"sideEffects,omitempty"`
-	TimeoutSeconds          *int32                                          `json:"timeoutSeconds,omitempty"`
-	AdmissionReviewVersions []string                                        `json:"admissionReviewVersions,omitempty"`
-	ReinvocationPolicy      *admissionregistrationv1.ReinvocationPolicyType `json:"reinvocationPolicy,omitempty"`
-	MatchConditions         []MatchConditionApplyConfiguration              `json:"matchConditions,omitempty"`
+	// name is the name of the admission webhook.
+	// Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
+	// "imagepolicy" is the name of the webhook, and kubernetes.io is the name
+	// of the organization.
+	// Required.
+	Name *string `json:"name,omitempty"`
+	// clientConfig defines how to communicate with the hook.
+	// Required
+	ClientConfig *WebhookClientConfigApplyConfiguration `json:"clientConfig,omitempty"`
+	// rules describes what operations on what resources/subresources the webhook cares about.
+	// The webhook cares about an operation if it matches _any_ Rule.
+	// However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
+	// from putting the cluster in a state which cannot be recovered from without completely
+	// disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
+	// on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
+	Rules []RuleWithOperationsApplyConfiguration `json:"rules,omitempty"`
+	// failurePolicy defines how unrecognized errors from the admission endpoint are handled -
+	// allowed values are Ignore or Fail. Defaults to Fail.
+	FailurePolicy *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// matchPolicy defines how the "rules" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
+	//
+	// Defaults to "Equivalent"
+	MatchPolicy *admissionregistrationv1.MatchPolicyType `json:"matchPolicy,omitempty"`
+	// namespaceSelector decides whether to run the webhook on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the webhook.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "runlevel",
+	// "operator": "NotIn",
+	// "values": [
+	// "0",
+	// "1"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// If instead you want to only run the webhook on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "environment",
+	// "operator": "In",
+	// "values": [
+	// "prod",
+	// "staging"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	NamespaceSelector *metav1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
+	// objectSelector decides whether to run the webhook based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the webhook, and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	ObjectSelector *metav1.LabelSelectorApplyConfiguration `json:"objectSelector,omitempty"`
+	// sideEffects states whether this webhook has side effects.
+	// Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
+	// Webhooks with side effects MUST implement a reconciliation system, since a request may be
+	// rejected by a future step in the admission chain and the side effects therefore need to be undone.
+	// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
+	// sideEffects == Unknown or Some.
+	SideEffects *admissionregistrationv1.SideEffectClass `json:"sideEffects,omitempty"`
+	// timeoutSeconds specifies the timeout for this webhook. After the timeout passes,
+	// the webhook call will be ignored or the API call will fail based on the
+	// failure policy.
+	// The timeout value must be between 1 and 30 seconds.
+	// Default to 10 seconds.
+	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
+	// admissionReviewVersions is an ordered list of preferred `AdmissionReview`
+	// versions the Webhook expects. API server will try to use first version in
+	// the list which it supports. If none of the versions specified in this list
+	// supported by API server, validation will fail for this object.
+	// If a persisted webhook configuration specifies allowed versions and does not
+	// include any versions known to the API Server, calls to the webhook will fail
+	// and be subject to the failure policy.
+	AdmissionReviewVersions []string `json:"admissionReviewVersions,omitempty"`
+	// reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation.
+	// Allowed values are "Never" and "IfNeeded".
+	//
+	// Never: the webhook will not be called more than once in a single admission evaluation.
+	//
+	// IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation
+	// if the object being admitted is modified by other admission plugins after the initial webhook call.
+	// Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted.
+	// Note:
+	// * the number of additional invocations is not guaranteed to be exactly one.
+	// * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again.
+	// * webhooks that use this option may be reordered to minimize the number of additional invocations.
+	// * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
+	//
+	// Defaults to "Never".
+	ReinvocationPolicy *admissionregistrationv1.ReinvocationPolicyType `json:"reinvocationPolicy,omitempty"`
+	// matchConditions is a list of conditions that must be met for a request to be sent to this
+	// webhook. Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the webhook is called.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
 }
 
 // MutatingWebhookApplyConfiguration constructs a declarative configuration of the MutatingWebhook type for use with

applyconfigurations/admissionregistration/v1/mutatingwebhookconfiguration.go

@@ -29,10 +29,14 @@ import (
 
 // MutatingWebhookConfigurationApplyConfiguration represents a declarative configuration of the MutatingWebhookConfiguration type for use
 // with apply.
+//
+// MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object.
 type MutatingWebhookConfigurationApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:""`
+	// metadata is the standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Webhooks                             []MutatingWebhookApplyConfiguration `json:"webhooks,omitempty"`
+	// webhooks is a list of webhooks and the affected resources and operations.
+	Webhooks []MutatingWebhookApplyConfiguration `json:"webhooks,omitempty"`
 }
 
 // MutatingWebhookConfiguration constructs a declarative configuration of the MutatingWebhookConfiguration type for use with
@@ -45,29 +49,14 @@ func MutatingWebhookConfiguration(name string) *MutatingWebhookConfigurationAppl
 	return b
 }
 
-// ExtractMutatingWebhookConfiguration extracts the applied configuration owned by fieldManager from
-// mutatingWebhookConfiguration. If no managedFields are found in mutatingWebhookConfiguration for fieldManager, a
-// MutatingWebhookConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractMutatingWebhookConfigurationFrom extracts the applied configuration owned by fieldManager from
+// mutatingWebhookConfiguration for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // mutatingWebhookConfiguration must be a unmodified MutatingWebhookConfiguration API object that was retrieved from the Kubernetes API.
-// ExtractMutatingWebhookConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractMutatingWebhookConfigurationFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractMutatingWebhookConfiguration(mutatingWebhookConfiguration *admissionregistrationv1.MutatingWebhookConfiguration, fieldManager string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
-	return extractMutatingWebhookConfiguration(mutatingWebhookConfiguration, fieldManager, "")
-}
-
-// ExtractMutatingWebhookConfigurationStatus is the same as ExtractMutatingWebhookConfiguration except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractMutatingWebhookConfigurationStatus(mutatingWebhookConfiguration *admissionregistrationv1.MutatingWebhookConfiguration, fieldManager string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
-	return extractMutatingWebhookConfiguration(mutatingWebhookConfiguration, fieldManager, "status")
-}
-
-func extractMutatingWebhookConfiguration(mutatingWebhookConfiguration *admissionregistrationv1.MutatingWebhookConfiguration, fieldManager string, subresource string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
+func ExtractMutatingWebhookConfigurationFrom(mutatingWebhookConfiguration *admissionregistrationv1.MutatingWebhookConfiguration, fieldManager string, subresource string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
 	b := &MutatingWebhookConfigurationApplyConfiguration{}
 	err := managedfields.ExtractInto(mutatingWebhookConfiguration, internal.Parser().Type("io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +68,21 @@ func extractMutatingWebhookConfiguration(mutatingWebhookConfiguration *admission
 	b.WithAPIVersion("admissionregistration.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractMutatingWebhookConfiguration extracts the applied configuration owned by fieldManager from
+// mutatingWebhookConfiguration. If no managedFields are found in mutatingWebhookConfiguration for fieldManager, a
+// MutatingWebhookConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// mutatingWebhookConfiguration must be a unmodified MutatingWebhookConfiguration API object that was retrieved from the Kubernetes API.
+// ExtractMutatingWebhookConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractMutatingWebhookConfiguration(mutatingWebhookConfiguration *admissionregistrationv1.MutatingWebhookConfiguration, fieldManager string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
+	return ExtractMutatingWebhookConfigurationFrom(mutatingWebhookConfiguration, fieldManager, "")
+}
+
 func (b MutatingWebhookConfigurationApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value

applyconfigurations/admissionregistration/v1/mutation.go

@@ -0,0 +1,72 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+)
+
+// MutationApplyConfiguration represents a declarative configuration of the Mutation type for use
+// with apply.
+//
+// Mutation specifies the CEL expression which is used to apply the Mutation.
+type MutationApplyConfiguration struct {
+	// patchType indicates the patch strategy used.
+	// Allowed values are "ApplyConfiguration" and "JSONPatch".
+	// Required.
+	PatchType *admissionregistrationv1.PatchType `json:"patchType,omitempty"`
+	// applyConfiguration defines the desired configuration values of an object.
+	// The configuration is applied to the admission object using
+	// [structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff).
+	// A CEL expression is used to create apply configuration.
+	ApplyConfiguration *ApplyConfigurationApplyConfiguration `json:"applyConfiguration,omitempty"`
+	// jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object.
+	// A CEL expression is used to create the JSON patch.
+	JSONPatch *JSONPatchApplyConfiguration `json:"jsonPatch,omitempty"`
+}
+
+// MutationApplyConfiguration constructs a declarative configuration of the Mutation type for use with
+// apply.
+func Mutation() *MutationApplyConfiguration {
+	return &MutationApplyConfiguration{}
+}
+
+// WithPatchType sets the PatchType field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the PatchType field is set to the value of the last call.
+func (b *MutationApplyConfiguration) WithPatchType(value admissionregistrationv1.PatchType) *MutationApplyConfiguration {
+	b.PatchType = &value
+	return b
+}
+
+// WithApplyConfiguration sets the ApplyConfiguration field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ApplyConfiguration field is set to the value of the last call.
+func (b *MutationApplyConfiguration) WithApplyConfiguration(value *ApplyConfigurationApplyConfiguration) *MutationApplyConfiguration {
+	b.ApplyConfiguration = value
+	return b
+}
+
+// WithJSONPatch sets the JSONPatch field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the JSONPatch field is set to the value of the last call.
+func (b *MutationApplyConfiguration) WithJSONPatch(value *JSONPatchApplyConfiguration) *MutationApplyConfiguration {
+	b.JSONPatch = value
+	return b
+}

applyconfigurations/admissionregistration/v1/namedrulewithoperations.go

@@ -24,9 +24,13 @@ import (
 
 // NamedRuleWithOperationsApplyConfiguration represents a declarative configuration of the NamedRuleWithOperations type for use
 // with apply.
+//
+// NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.
 type NamedRuleWithOperationsApplyConfiguration struct {
-	ResourceNames                        []string `json:"resourceNames,omitempty"`
-	RuleWithOperationsApplyConfiguration `json:",inline"`
+	// resourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+	ResourceNames []string `json:"resourceNames,omitempty"`
+	// RuleWithOperations is a tuple of Operations and Resources.
+	RuleWithOperationsApplyConfiguration `json:""`
 }
 
 // NamedRuleWithOperationsApplyConfiguration constructs a declarative configuration of the NamedRuleWithOperations type for use with

applyconfigurations/admissionregistration/v1/paramkind.go

@@ -20,9 +20,16 @@ package v1
 
 // ParamKindApplyConfiguration represents a declarative configuration of the ParamKind type for use
 // with apply.
+//
+// ParamKind is a tuple of Group Kind and Version.
 type ParamKindApplyConfiguration struct {
+	// apiVersion is the API group version the resources belong to.
+	// In format of "group/version".
+	// Required.
 	APIVersion *string `json:"apiVersion,omitempty"`
-	Kind       *string `json:"kind,omitempty"`
+	// kind is the API kind the resources belong to.
+	// Required.
+	Kind *string `json:"kind,omitempty"`
 }
 
 // ParamKindApplyConfiguration constructs a declarative configuration of the ParamKind type for use with

applyconfigurations/admissionregistration/v1/paramref.go

@@ -25,10 +25,53 @@ import (
 
 // ParamRefApplyConfiguration represents a declarative configuration of the ParamRef type for use
 // with apply.
+//
+// ParamRef describes how to locate the params to be used as input to
+// expressions of rules applied by a policy binding.
 type ParamRefApplyConfiguration struct {
-	Name                    *string                                              `json:"name,omitempty"`
-	Namespace               *string                                              `json:"namespace,omitempty"`
-	Selector                *metav1.LabelSelectorApplyConfiguration              `json:"selector,omitempty"`
+	// name is the name of the resource being referenced.
+	//
+	// One of `name` or `selector` must be set, but `name` and `selector` are
+	// mutually exclusive properties. If one is set, the other must be unset.
+	//
+	// A single parameter used for all admission requests can be configured
+	// by setting the `name` field, leaving `selector` blank, and setting namespace
+	// if `paramKind` is namespace-scoped.
+	Name *string `json:"name,omitempty"`
+	// namespace is the namespace of the referenced resource. Allows limiting
+	// the search for params to a specific namespace. Applies to both `name` and
+	// `selector` fields.
+	//
+	// A per-namespace parameter may be used by specifying a namespace-scoped
+	// `paramKind` in the policy and leaving this field empty.
+	//
+	// - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+	// field results in a configuration error.
+	//
+	// - If `paramKind` is namespace-scoped, the namespace of the object being
+	// evaluated for admission will be used when this field is left unset. Take
+	// care that if this is left empty the binding must not match any cluster-scoped
+	// resources, which will result in an error.
+	Namespace *string `json:"namespace,omitempty"`
+	// selector can be used to match multiple param objects based on their labels.
+	// Supply selector: {} to match all resources of the ParamKind.
+	//
+	// If multiple params are found, they are all evaluated with the policy expressions
+	// and the results are ANDed together.
+	//
+	// One of `name` or `selector` must be set, but `name` and `selector` are
+	// mutually exclusive properties. If one is set, the other must be unset.
+	Selector *metav1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// parameterNotFoundAction controls the behavior of the binding when the resource
+	// exists, and name or selector is valid, but there are no parameters
+	// matched by the binding. If the value is set to `Allow`, then no
+	// matched parameters will be treated as successful validation by the binding.
+	// If set to `Deny`, then no matched parameters will be subject to the
+	// `failurePolicy` of the policy.
+	//
+	// Allowed values are `Allow` or `Deny`
+	//
+	// Required
 	ParameterNotFoundAction *admissionregistrationv1.ParameterNotFoundActionType `json:"parameterNotFoundAction,omitempty"`
 }
 

applyconfigurations/admissionregistration/v1/rule.go

@@ -24,11 +24,43 @@ import (
 
 // RuleApplyConfiguration represents a declarative configuration of the Rule type for use
 // with apply.
+//
+// Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended
+// to make sure that all the tuple expansions are valid.
 type RuleApplyConfiguration struct {
-	APIGroups   []string                           `json:"apiGroups,omitempty"`
-	APIVersions []string                           `json:"apiVersions,omitempty"`
-	Resources   []string                           `json:"resources,omitempty"`
-	Scope       *admissionregistrationv1.ScopeType `json:"scope,omitempty"`
+	// apiGroups is the API groups the resources belong to. '*' is all groups.
+	// If '*' is present, the length of the slice must be one.
+	// Required.
+	APIGroups []string `json:"apiGroups,omitempty"`
+	// apiVersions is the API versions the resources belong to. '*' is all versions.
+	// If '*' is present, the length of the slice must be one.
+	// Required.
+	APIVersions []string `json:"apiVersions,omitempty"`
+	// resources is a list of resources this rule applies to.
+	//
+	// For example:
+	// 'pods' means pods.
+	// 'pods/log' means the log subresource of pods.
+	// '*' means all resources, but not subresources.
+	// 'pods/*' means all subresources of pods.
+	// '*/scale' means all scale subresources.
+	// '*/*' means all resources and their subresources.
+	//
+	// If wildcard is present, the validation rule will ensure resources do not
+	// overlap with each other.
+	//
+	// Depending on the enclosing object, subresources might not be allowed.
+	// Required.
+	Resources []string `json:"resources,omitempty"`
+	// scope specifies the scope of this rule.
+	// Valid values are "Cluster", "Namespaced", and "*"
+	// "Cluster" means that only cluster-scoped resources will match this rule.
+	// Namespace API objects are cluster-scoped.
+	// "Namespaced" means that only namespaced resources will match this rule.
+	// "*" means that there are no scope restrictions.
+	// Subresources match the scope of their parent resource.
+	// Default is "*".
+	Scope *admissionregistrationv1.ScopeType `json:"scope,omitempty"`
 }
 
 // RuleApplyConfiguration constructs a declarative configuration of the Rule type for use with

applyconfigurations/admissionregistration/v1/rulewithoperations.go

@@ -24,9 +24,18 @@ import (
 
 // RuleWithOperationsApplyConfiguration represents a declarative configuration of the RuleWithOperations type for use
 // with apply.
+//
+// RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
+// sure that all the tuple expansions are valid.
 type RuleWithOperationsApplyConfiguration struct {
-	Operations             []admissionregistrationv1.OperationType `json:"operations,omitempty"`
-	RuleApplyConfiguration `json:",inline"`
+	// operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
+	// for all of those operations and any future admission operations that are added.
+	// If '*' is present, the length of the slice must be one.
+	// Required.
+	Operations []admissionregistrationv1.OperationType `json:"operations,omitempty"`
+	// Rule is embedded, it describes other criteria of the rule, like
+	// APIGroups, APIVersions, Resources, etc.
+	RuleApplyConfiguration `json:""`
 }
 
 // RuleWithOperationsApplyConfiguration constructs a declarative configuration of the RuleWithOperations type for use with

applyconfigurations/admissionregistration/v1/servicereference.go

@@ -20,11 +20,22 @@ package v1
 
 // ServiceReferenceApplyConfiguration represents a declarative configuration of the ServiceReference type for use
 // with apply.
+//
+// ServiceReference holds a reference to Service.legacy.k8s.io
 type ServiceReferenceApplyConfiguration struct {
+	// namespace is the namespace of the service.
+	// Required
 	Namespace *string `json:"namespace,omitempty"`
-	Name      *string `json:"name,omitempty"`
-	Path      *string `json:"path,omitempty"`
-	Port      *int32  `json:"port,omitempty"`
+	// name is the name of the service.
+	// Required
+	Name *string `json:"name,omitempty"`
+	// path is an optional URL path which will be sent in any request to
+	// this service.
+	Path *string `json:"path,omitempty"`
+	// port is the port on the service that hosts the webhook.
+	// Default to 443 for backward compatibility.
+	// `port` should be a valid port number (1-65535, inclusive).
+	Port *int32 `json:"port,omitempty"`
 }
 
 // ServiceReferenceApplyConfiguration constructs a declarative configuration of the ServiceReference type for use with

applyconfigurations/admissionregistration/v1/typechecking.go

@@ -20,7 +20,11 @@ package v1
 
 // TypeCheckingApplyConfiguration represents a declarative configuration of the TypeChecking type for use
 // with apply.
+//
+// TypeChecking contains results of type checking the expressions in the
+// ValidatingAdmissionPolicy
 type TypeCheckingApplyConfiguration struct {
+	// expressionWarnings contains the type checking warnings for each expression.
 	ExpressionWarnings []ExpressionWarningApplyConfiguration `json:"expressionWarnings,omitempty"`
 }
 

applyconfigurations/admissionregistration/v1/validatingadmissionpolicy.go

@@ -29,11 +29,19 @@ import (
 
 // ValidatingAdmissionPolicyApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicy type for use
 // with apply.
+//
+// ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.
 type ValidatingAdmissionPolicyApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:""`
+	// metadata is the standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ValidatingAdmissionPolicySpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *ValidatingAdmissionPolicyStatusApplyConfiguration `json:"status,omitempty"`
+	// spec defines the desired behavior of the ValidatingAdmissionPolicy.
+	Spec *ValidatingAdmissionPolicySpecApplyConfiguration `json:"spec,omitempty"`
+	// status represents the current status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy
+	// behaves in the expected way.
+	// Populated by the system.
+	// Read-only.
+	Status *ValidatingAdmissionPolicyStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ValidatingAdmissionPolicy constructs a declarative configuration of the ValidatingAdmissionPolicy type for use with
@@ -46,29 +54,14 @@ func ValidatingAdmissionPolicy(name string) *ValidatingAdmissionPolicyApplyConfi
 	return b
 }
 
-// ExtractValidatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
-// validatingAdmissionPolicy. If no managedFields are found in validatingAdmissionPolicy for fieldManager, a
-// ValidatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractValidatingAdmissionPolicyFrom extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicy for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // validatingAdmissionPolicy must be a unmodified ValidatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
-// ExtractValidatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractValidatingAdmissionPolicyFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregistrationv1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicy(validatingAdmissionPolicy, fieldManager, "")
-}
-
-// ExtractValidatingAdmissionPolicyStatus is the same as ExtractValidatingAdmissionPolicy except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractValidatingAdmissionPolicyStatus(validatingAdmissionPolicy *admissionregistrationv1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicy(validatingAdmissionPolicy, fieldManager, "status")
-}
-
-func extractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregistrationv1.ValidatingAdmissionPolicy, fieldManager string, subresource string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
+func ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy *admissionregistrationv1.ValidatingAdmissionPolicy, fieldManager string, subresource string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
 	b := &ValidatingAdmissionPolicyApplyConfiguration{}
 	err := managedfields.ExtractInto(validatingAdmissionPolicy, internal.Parser().Type("io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy"), fieldManager, b, subresource)
 	if err != nil {
@@ -80,6 +73,27 @@ func extractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregist
 	b.WithAPIVersion("admissionregistration.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractValidatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicy. If no managedFields are found in validatingAdmissionPolicy for fieldManager, a
+// ValidatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// validatingAdmissionPolicy must be a unmodified ValidatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
+// ExtractValidatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregistrationv1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
+	return ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy, fieldManager, "")
+}
+
+// ExtractValidatingAdmissionPolicyStatus extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicy for the status subresource.
+func ExtractValidatingAdmissionPolicyStatus(validatingAdmissionPolicy *admissionregistrationv1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
+	return ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy, fieldManager, "status")
+}
+
 func (b ValidatingAdmissionPolicyApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value

applyconfigurations/admissionregistration/v1/validatingadmissionpolicybinding.go

@@ -29,10 +29,24 @@ import (
 
 // ValidatingAdmissionPolicyBindingApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyBinding type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources.
+// ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.
+//
+// For a given admission request, each binding will cause its policy to be
+// evaluated N times, where N is 1 for policies/bindings that don't use
+// params, otherwise N is the number of parameters selected by the binding.
+//
+// The CEL expressions of a policy must have a computed CEL cost below the maximum
+// CEL budget. Each evaluation of the policy is given an independent CEL cost budget.
+// Adding/removing policies, bindings, or params can not affect whether a
+// given (policy, binding, param) combination is within its own CEL budget.
 type ValidatingAdmissionPolicyBindingApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:""`
+	// metadata is the standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ValidatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
+	// spec defines the desired behavior of the ValidatingAdmissionPolicyBinding.
+	Spec *ValidatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // ValidatingAdmissionPolicyBinding constructs a declarative configuration of the ValidatingAdmissionPolicyBinding type for use with
@@ -45,29 +59,14 @@ func ValidatingAdmissionPolicyBinding(name string) *ValidatingAdmissionPolicyBin
 	return b
 }
 
-// ExtractValidatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
-// validatingAdmissionPolicyBinding. If no managedFields are found in validatingAdmissionPolicyBinding for fieldManager, a
-// ValidatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractValidatingAdmissionPolicyBindingFrom extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicyBinding for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // validatingAdmissionPolicyBinding must be a unmodified ValidatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
-// ExtractValidatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractValidatingAdmissionPolicyBindingFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding, fieldManager, "")
-}
-
-// ExtractValidatingAdmissionPolicyBindingStatus is the same as ExtractValidatingAdmissionPolicyBinding except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractValidatingAdmissionPolicyBindingStatus(validatingAdmissionPolicyBinding *admissionregistrationv1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding, fieldManager, "status")
-}
-
-func extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1.ValidatingAdmissionPolicyBinding, fieldManager string, subresource string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
+func ExtractValidatingAdmissionPolicyBindingFrom(validatingAdmissionPolicyBinding *admissionregistrationv1.ValidatingAdmissionPolicyBinding, fieldManager string, subresource string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
 	b := &ValidatingAdmissionPolicyBindingApplyConfiguration{}
 	err := managedfields.ExtractInto(validatingAdmissionPolicyBinding, internal.Parser().Type("io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBinding"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +78,21 @@ func extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *a
 	b.WithAPIVersion("admissionregistration.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractValidatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicyBinding. If no managedFields are found in validatingAdmissionPolicyBinding for fieldManager, a
+// ValidatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// validatingAdmissionPolicyBinding must be a unmodified ValidatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
+// ExtractValidatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
+	return ExtractValidatingAdmissionPolicyBindingFrom(validatingAdmissionPolicyBinding, fieldManager, "")
+}
+
 func (b ValidatingAdmissionPolicyBindingApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value

applyconfigurations/admissionregistration/v1/validatingadmissionpolicybindingspec.go

@@ -24,10 +24,63 @@ import (
 
 // ValidatingAdmissionPolicyBindingSpecApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyBindingSpec type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.
 type ValidatingAdmissionPolicyBindingSpecApplyConfiguration struct {
-	PolicyName        *string                                    `json:"policyName,omitempty"`
-	ParamRef          *ParamRefApplyConfiguration                `json:"paramRef,omitempty"`
-	MatchResources    *MatchResourcesApplyConfiguration          `json:"matchResources,omitempty"`
+	// policyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to.
+	// If the referenced resource does not exist, this binding is considered invalid and will be ignored
+	// Required.
+	PolicyName *string `json:"policyName,omitempty"`
+	// paramRef specifies the parameter resource used to configure the admission control policy.
+	// It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy.
+	// If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied.
+	// If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.
+	ParamRef *ParamRefApplyConfiguration `json:"paramRef,omitempty"`
+	// matchResources declares what resources match this binding and will be validated by it.
+	// Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this.
+	// If this is unset, all resources matched by the policy are validated by this binding
+	// When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated.
+	// Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required.
+	MatchResources *MatchResourcesApplyConfiguration `json:"matchResources,omitempty"`
+	// validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced.
+	// If a validation evaluates to false it is always enforced according to these actions.
+	//
+	// Failures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according
+	// to these actions only if the FailurePolicy is set to Fail, otherwise the failures are
+	// ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.
+	//
+	// validationActions is declared as a set of action values. Order does
+	// not matter. validationActions may not contain duplicates of the same action.
+	//
+	// The supported actions values are:
+	//
+	// "Deny" specifies that a validation failure results in a denied request.
+	//
+	// "Warn" specifies that a validation failure is reported to the request client
+	// in HTTP Warning headers, with a warning code of 299. Warnings can be sent
+	// both for allowed or denied admission responses.
+	//
+	// "Audit" specifies that a validation failure is included in the published
+	// audit event for the request. The audit event will contain a
+	// `validation.policy.admission.k8s.io/validation_failure` audit annotation
+	// with a value containing the details of the validation failures, formatted as
+	// a JSON list of objects, each with the following fields:
+	// - message: The validation failure message string
+	// - policy: The resource name of the ValidatingAdmissionPolicy
+	// - binding: The resource name of the ValidatingAdmissionPolicyBinding
+	// - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy
+	// - validationActions: The enforcement actions enacted for the validation failure
+	// Example audit annotation:
+	// `"validation.policy.admission.k8s.io/validation_failure": "[{\"message\": \"Invalid value\", {\"policy\": \"policy.example.com\", {\"binding\": \"policybinding.example.com\", {\"expressionIndex\": \"1\", {\"validationActions\": [\"Audit\"]}]"`
+	//
+	// Clients should expect to handle additional values by ignoring
+	// any values not recognized.
+	//
+	// "Deny" and "Warn" may not be used together since this combination
+	// needlessly duplicates the validation failure both in the
+	// API response body and the HTTP warning headers.
+	//
+	// Required.
 	ValidationActions []admissionregistrationv1.ValidationAction `json:"validationActions,omitempty"`
 }
 

applyconfigurations/admissionregistration/v1/validatingadmissionpolicyspec.go

@@ -24,14 +24,66 @@ import (
 
 // ValidatingAdmissionPolicySpecApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicySpec type for use
 // with apply.
+//
+// ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.
 type ValidatingAdmissionPolicySpecApplyConfiguration struct {
-	ParamKind        *ParamKindApplyConfiguration               `json:"paramKind,omitempty"`
-	MatchConstraints *MatchResourcesApplyConfiguration          `json:"matchConstraints,omitempty"`
-	Validations      []ValidationApplyConfiguration             `json:"validations,omitempty"`
-	FailurePolicy    *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"`
-	AuditAnnotations []AuditAnnotationApplyConfiguration        `json:"auditAnnotations,omitempty"`
-	MatchConditions  []MatchConditionApplyConfiguration         `json:"matchConditions,omitempty"`
-	Variables        []VariableApplyConfiguration               `json:"variables,omitempty"`
+	// paramKind specifies the kind of resources used to parameterize this policy.
+	// If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
+	// If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
+	// If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.
+	ParamKind *ParamKindApplyConfiguration `json:"paramKind,omitempty"`
+	// matchConstraints specifies what resources this policy is designed to validate.
+	// The AdmissionPolicy cares about a request if it matches _all_ Constraints.
+	// However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
+	// ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding.
+	// Required.
+	MatchConstraints *MatchResourcesApplyConfiguration `json:"matchConstraints,omitempty"`
+	// validations contain CEL expressions which is used to apply the validation.
+	// Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is
+	// required.
+	Validations []ValidationApplyConfiguration `json:"validations,omitempty"`
+	// failurePolicy defines how to handle failures for the admission policy. Failures can
+	// occur from CEL expression parse errors, type check errors, runtime errors and invalid
+	// or mis-configured policy definitions or bindings.
+	//
+	// A policy is invalid if spec.paramKind refers to a non-existent Kind.
+	// A binding is invalid if spec.paramRef.name refers to a non-existent resource.
+	//
+	// failurePolicy does not define how validations that evaluate to false are handled.
+	//
+	// When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions
+	// define how failures are enforced.
+	//
+	// Allowed values are Ignore or Fail. Defaults to Fail.
+	FailurePolicy *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// auditAnnotations contains CEL expressions which are used to produce audit
+	// annotations for the audit event of the API request.
+	// validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is
+	// required.
+	AuditAnnotations []AuditAnnotationApplyConfiguration `json:"auditAnnotations,omitempty"`
+	// matchConditions is a list of conditions that must be met for a request to be validated.
+	// Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// If a parameter object is provided, it can be accessed via the `params` handle in the same
+	// manner as validation expressions.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the policy is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
+	// variables contain definitions of variables that can be used in composition of other expressions.
+	// Each variable is defined as a named CEL expression.
+	// The variables defined here will be available under `variables` in other expressions of the policy
+	// except MatchConditions because MatchConditions are evaluated before the rest of the policy.
+	//
+	// The expression of a variable can refer to other variables defined earlier in the list but not those after.
+	// Thus, Variables must be sorted by the order of first appearance and acyclic.
+	Variables []VariableApplyConfiguration `json:"variables,omitempty"`
 }
 
 // ValidatingAdmissionPolicySpecApplyConfiguration constructs a declarative configuration of the ValidatingAdmissionPolicySpec type for use with

applyconfigurations/admissionregistration/v1/validatingadmissionpolicystatus.go

@@ -24,10 +24,16 @@ import (
 
 // ValidatingAdmissionPolicyStatusApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyStatus type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyStatus represents the status of an admission validation policy.
 type ValidatingAdmissionPolicyStatusApplyConfiguration struct {
-	ObservedGeneration *int64                               `json:"observedGeneration,omitempty"`
-	TypeChecking       *TypeCheckingApplyConfiguration      `json:"typeChecking,omitempty"`
-	Conditions         []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
+	// observedGeneration is the generation observed by the controller.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// typeChecking contains the results of type checking for each expression.
+	// Presence of this field indicates the completion of the type checking.
+	TypeChecking *TypeCheckingApplyConfiguration `json:"typeChecking,omitempty"`
+	// conditions represent the latest available observations of a policy's current state.
+	Conditions []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // ValidatingAdmissionPolicyStatusApplyConfiguration constructs a declarative configuration of the ValidatingAdmissionPolicyStatus type for use with

applyconfigurations/admissionregistration/v1/validatingwebhook.go

@@ -25,18 +25,132 @@ import (
 
 // ValidatingWebhookApplyConfiguration represents a declarative configuration of the ValidatingWebhook type for use
 // with apply.
+//
+// ValidatingWebhook describes an admission webhook and the resources and operations it applies to.
 type ValidatingWebhookApplyConfiguration struct {
-	Name                    *string                                    `json:"name,omitempty"`
-	ClientConfig            *WebhookClientConfigApplyConfiguration     `json:"clientConfig,omitempty"`
-	Rules                   []RuleWithOperationsApplyConfiguration     `json:"rules,omitempty"`
-	FailurePolicy           *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"`
-	MatchPolicy             *admissionregistrationv1.MatchPolicyType   `json:"matchPolicy,omitempty"`
-	NamespaceSelector       *metav1.LabelSelectorApplyConfiguration    `json:"namespaceSelector,omitempty"`
-	ObjectSelector          *metav1.LabelSelectorApplyConfiguration    `json:"objectSelector,omitempty"`
-	SideEffects             *admissionregistrationv1.SideEffectClass   `json:"sideEffects,omitempty"`
-	TimeoutSeconds          *int32                                     `json:"timeoutSeconds,omitempty"`
-	AdmissionReviewVersions []string                                   `json:"admissionReviewVersions,omitempty"`
-	MatchConditions         []MatchConditionApplyConfiguration         `json:"matchConditions,omitempty"`
+	// name is the name of the admission webhook.
+	// Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
+	// "imagepolicy" is the name of the webhook, and kubernetes.io is the name
+	// of the organization.
+	// Required.
+	Name *string `json:"name,omitempty"`
+	// clientConfig defines how to communicate with the hook.
+	// Required
+	ClientConfig *WebhookClientConfigApplyConfiguration `json:"clientConfig,omitempty"`
+	// rules describes what operations on what resources/subresources the webhook cares about.
+	// The webhook cares about an operation if it matches _any_ Rule.
+	// However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
+	// from putting the cluster in a state which cannot be recovered from without completely
+	// disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
+	// on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
+	Rules []RuleWithOperationsApplyConfiguration `json:"rules,omitempty"`
+	// failurePolicy defines how unrecognized errors from the admission endpoint are handled -
+	// allowed values are Ignore or Fail. Defaults to Fail.
+	FailurePolicy *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// matchPolicy defines how the "rules" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
+	//
+	// Defaults to "Equivalent"
+	MatchPolicy *admissionregistrationv1.MatchPolicyType `json:"matchPolicy,omitempty"`
+	// namespaceSelector decides whether to run the webhook on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the webhook.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "runlevel",
+	// "operator": "NotIn",
+	// "values": [
+	// "0",
+	// "1"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// If instead you want to only run the webhook on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "environment",
+	// "operator": "In",
+	// "values": [
+	// "prod",
+	// "staging"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	NamespaceSelector *metav1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
+	// objectSelector decides whether to run the webhook based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the webhook, and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	ObjectSelector *metav1.LabelSelectorApplyConfiguration `json:"objectSelector,omitempty"`
+	// sideEffects states whether this webhook has side effects.
+	// Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
+	// Webhooks with side effects MUST implement a reconciliation system, since a request may be
+	// rejected by a future step in the admission chain and the side effects therefore need to be undone.
+	// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
+	// sideEffects == Unknown or Some.
+	SideEffects *admissionregistrationv1.SideEffectClass `json:"sideEffects,omitempty"`
+	// timeoutSeconds specifies the timeout for this webhook. After the timeout passes,
+	// the webhook call will be ignored or the API call will fail based on the
+	// failure policy.
+	// The timeout value must be between 1 and 30 seconds.
+	// Default to 10 seconds.
+	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
+	// admissionReviewVersions is an ordered list of preferred `AdmissionReview`
+	// versions the Webhook expects. API server will try to use first version in
+	// the list which it supports. If none of the versions specified in this list
+	// supported by API server, validation will fail for this object.
+	// If a persisted webhook configuration specifies allowed versions and does not
+	// include any versions known to the API Server, calls to the webhook will fail
+	// and be subject to the failure policy.
+	AdmissionReviewVersions []string `json:"admissionReviewVersions,omitempty"`
+	// matchConditions is a list of conditions that must be met for a request to be sent to this
+	// webhook. Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the webhook is called.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
 }
 
 // ValidatingWebhookApplyConfiguration constructs a declarative configuration of the ValidatingWebhook type for use with

applyconfigurations/admissionregistration/v1/validatingwebhookconfiguration.go

@@ -29,10 +29,14 @@ import (
 
 // ValidatingWebhookConfigurationApplyConfiguration represents a declarative configuration of the ValidatingWebhookConfiguration type for use
 // with apply.
+//
+// ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it.
 type ValidatingWebhookConfigurationApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:""`
+	// metadata is the standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Webhooks                             []ValidatingWebhookApplyConfiguration `json:"webhooks,omitempty"`
+	// webhooks is a list of webhooks and the affected resources and operations.
+	Webhooks []ValidatingWebhookApplyConfiguration `json:"webhooks,omitempty"`
 }
 
 // ValidatingWebhookConfiguration constructs a declarative configuration of the ValidatingWebhookConfiguration type for use with
@@ -45,29 +49,14 @@ func ValidatingWebhookConfiguration(name string) *ValidatingWebhookConfiguration
 	return b
 }
 
-// ExtractValidatingWebhookConfiguration extracts the applied configuration owned by fieldManager from
-// validatingWebhookConfiguration. If no managedFields are found in validatingWebhookConfiguration for fieldManager, a
-// ValidatingWebhookConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractValidatingWebhookConfigurationFrom extracts the applied configuration owned by fieldManager from
+// validatingWebhookConfiguration for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // validatingWebhookConfiguration must be a unmodified ValidatingWebhookConfiguration API object that was retrieved from the Kubernetes API.
-// ExtractValidatingWebhookConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractValidatingWebhookConfigurationFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractValidatingWebhookConfiguration(validatingWebhookConfiguration *admissionregistrationv1.ValidatingWebhookConfiguration, fieldManager string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
-	return extractValidatingWebhookConfiguration(validatingWebhookConfiguration, fieldManager, "")
-}
-
-// ExtractValidatingWebhookConfigurationStatus is the same as ExtractValidatingWebhookConfiguration except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractValidatingWebhookConfigurationStatus(validatingWebhookConfiguration *admissionregistrationv1.ValidatingWebhookConfiguration, fieldManager string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
-	return extractValidatingWebhookConfiguration(validatingWebhookConfiguration, fieldManager, "status")
-}
-
-func extractValidatingWebhookConfiguration(validatingWebhookConfiguration *admissionregistrationv1.ValidatingWebhookConfiguration, fieldManager string, subresource string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
+func ExtractValidatingWebhookConfigurationFrom(validatingWebhookConfiguration *admissionregistrationv1.ValidatingWebhookConfiguration, fieldManager string, subresource string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
 	b := &ValidatingWebhookConfigurationApplyConfiguration{}
 	err := managedfields.ExtractInto(validatingWebhookConfiguration, internal.Parser().Type("io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +68,21 @@ func extractValidatingWebhookConfiguration(validatingWebhookConfiguration *admis
 	b.WithAPIVersion("admissionregistration.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractValidatingWebhookConfiguration extracts the applied configuration owned by fieldManager from
+// validatingWebhookConfiguration. If no managedFields are found in validatingWebhookConfiguration for fieldManager, a
+// ValidatingWebhookConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// validatingWebhookConfiguration must be a unmodified ValidatingWebhookConfiguration API object that was retrieved from the Kubernetes API.
+// ExtractValidatingWebhookConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractValidatingWebhookConfiguration(validatingWebhookConfiguration *admissionregistrationv1.ValidatingWebhookConfiguration, fieldManager string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
+	return ExtractValidatingWebhookConfigurationFrom(validatingWebhookConfiguration, fieldManager, "")
+}
+
 func (b ValidatingWebhookConfigurationApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value

applyconfigurations/admissionregistration/v1/validation.go

@@ -24,11 +24,77 @@ import (
 
 // ValidationApplyConfiguration represents a declarative configuration of the Validation type for use
 // with apply.
+//
+// Validation specifies the CEL expression which is used to apply the validation.
 type ValidationApplyConfiguration struct {
-	Expression        *string              `json:"expression,omitempty"`
-	Message           *string              `json:"message,omitempty"`
-	Reason            *metav1.StatusReason `json:"reason,omitempty"`
-	MessageExpression *string              `json:"messageExpression,omitempty"`
+	// expression represents the expression which will be evaluated by CEL.
+	// ref: https://github.com/google/cel-spec
+	// CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:
+	//
+	// - 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// - 'oldObject' - The existing object. The value is null for CREATE requests.
+	// - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
+	// - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
+	// - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
+	// - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
+	// For example, a variable named 'foo' can be accessed as 'variables.foo'.
+	// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	//
+	// The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
+	// object. No other metadata properties are accessible.
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Accessible property names are escaped according to the following rules when accessed in the expression:
+	// - '__' escapes to '__underscores__'
+	// - '.' escapes to '__dot__'
+	// - '-' escapes to '__dash__'
+	// - '/' escapes to '__slash__'
+	// - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:
+	// "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if",
+	// "import", "let", "loop", "package", "namespace", "return".
+	// Examples:
+	// - Expression accessing a property named "namespace": {"Expression": "object.__namespace__ > 0"}
+	// - Expression accessing a property named "x-prop": {"Expression": "object.x__dash__prop > 0"}
+	// - Expression accessing a property named "redact__d": {"Expression": "object.redact__underscores__d > 0"}
+	//
+	// Equality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].
+	// Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
+	// - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and
+	// non-intersecting elements in `Y` are appended, retaining their partial order.
+	// - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values
+	// are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with
+	// non-intersecting keys are appended, retaining their partial order.
+	// Required.
+	Expression *string `json:"expression,omitempty"`
+	// message represents the message displayed when validation fails. The message is required if the Expression contains
+	// line breaks. The message must not contain line breaks.
+	// If unset, the message is "failed rule: {Rule}".
+	// e.g. "must be a URL with the host matching spec.host"
+	// If the Expression contains line breaks. Message is required.
+	// The message must not contain line breaks.
+	// If unset, the message is "failed Expression: {Expression}".
+	Message *string `json:"message,omitempty"`
+	// reason represents a machine-readable description of why this validation failed.
+	// If this is the first validation in the list to fail, this reason, as well as the
+	// corresponding HTTP response code, are used in the
+	// HTTP response to the client.
+	// The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+	// If not set, StatusReasonInvalid is used in the response to the client.
+	Reason *metav1.StatusReason `json:"reason,omitempty"`
+	// messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+	// Since messageExpression is used as a failure message, it must evaluate to a string.
+	// If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+	// If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+	// as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+	// that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+	// the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+	// messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+	// Example:
+	// "object.x must be less than max ("+string(params.max)+")"
+	MessageExpression *string `json:"messageExpression,omitempty"`
 }
 
 // ValidationApplyConfiguration constructs a declarative configuration of the Validation type for use with

applyconfigurations/admissionregistration/v1/variable.go

@@ -20,8 +20,15 @@ package v1
 
 // VariableApplyConfiguration represents a declarative configuration of the Variable type for use
 // with apply.
+//
+// Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.
 type VariableApplyConfiguration struct {
-	Name       *string `json:"name,omitempty"`
+	// name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+	// The variable can be accessed in other expressions through `variables`
+	// For example, if name is "foo", the variable will be available as `variables.foo`
+	Name *string `json:"name,omitempty"`
+	// expression is the expression that will be evaluated as the value of the variable.
+	// The CEL expression has access to the same identifiers as the CEL expressions in Validation.
 	Expression *string `json:"expression,omitempty"`
 }
 

applyconfigurations/admissionregistration/v1/webhookclientconfig.go

@@ -20,10 +20,44 @@ package v1
 
 // WebhookClientConfigApplyConfiguration represents a declarative configuration of the WebhookClientConfig type for use
 // with apply.
+//
+// WebhookClientConfig contains the information to make a TLS
+// connection with the webhook
 type WebhookClientConfigApplyConfiguration struct {
-	URL      *string                             `json:"url,omitempty"`
-	Service  *ServiceReferenceApplyConfiguration `json:"service,omitempty"`
-	CABundle []byte                              `json:"caBundle,omitempty"`
+	// url gives the location of the webhook, in standard URL form
+	// (`scheme://host:port/path`). Exactly one of `url` or `service`
+	// must be specified.
+	//
+	// The `host` should not refer to a service running in the cluster; use
+	// the `service` field instead. The host might be resolved via external
+	// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
+	// in-cluster DNS as that would be a layering violation). `host` may
+	// also be an IP address.
+	//
+	// Please note that using `localhost` or `127.0.0.1` as a `host` is
+	// risky unless you take great care to run this webhook on all hosts
+	// which run an apiserver which might need to make calls to this
+	// webhook. Such installs are likely to be non-portable, i.e., not easy
+	// to turn up in a new cluster.
+	//
+	// The scheme must be "https"; the URL must begin with "https://".
+	//
+	// A path is optional, and if present may be any string permissible in
+	// a URL. You may use the path to pass an arbitrary string to the
+	// webhook, for example, a cluster identifier.
+	//
+	// Attempting to use a user or basic auth e.g. "user:password@" is not
+	// allowed. Fragments ("#...") and query parameters ("?...") are not
+	// allowed, either.
+	URL *string `json:"url,omitempty"`
+	// service is a reference to the service for this webhook. Either
+	// `service` or `url` must be specified.
+	//
+	// If the webhook is running within the cluster, then you should use `service`.
+	Service *ServiceReferenceApplyConfiguration `json:"service,omitempty"`
+	// caBundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
+	// If unspecified, system trust roots on the apiserver are used.
+	CABundle []byte `json:"caBundle,omitempty"`
 }
 
 // WebhookClientConfigApplyConfiguration constructs a declarative configuration of the WebhookClientConfig type for use with

applyconfigurations/admissionregistration/v1alpha1/applyconfiguration.go

@@ -20,7 +20,49 @@ package v1alpha1
 
 // ApplyConfigurationApplyConfiguration represents a declarative configuration of the ApplyConfiguration type for use
 // with apply.
+//
+// ApplyConfiguration defines the desired configuration values of an object.
 type ApplyConfigurationApplyConfiguration struct {
+	// expression will be evaluated by CEL to create an apply configuration.
+	// ref: https://github.com/google/cel-spec
+	//
+	// Apply configurations are declared in CEL using object initialization. For example, this CEL expression
+	// returns an apply configuration to set a single field:
+	//
+	// Object{
+	// spec: Object.spec{
+	// serviceAccountName: "example"
+	// }
+	// }
+	//
+	// Apply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of
+	// values not included in the apply configuration.
+	//
+	// CEL expressions have access to the object types needed to create apply configurations:
+	//
+	// - 'Object' - CEL type of the resource object.
+	// - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')
+	// - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')
+	//
+	// CEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:
+	//
+	// - 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// - 'oldObject' - The existing object. The value is null for CREATE requests.
+	// - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
+	// - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
+	// - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
+	// - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
+	// For example, a variable named 'foo' can be accessed as 'variables.foo'.
+	// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	//
+	// The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
+	// object. No other metadata properties are accessible.
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Required.
 	Expression *string `json:"expression,omitempty"`
 }
 

applyconfigurations/admissionregistration/v1alpha1/auditannotation.go

@@ -20,8 +20,40 @@ package v1alpha1
 
 // AuditAnnotationApplyConfiguration represents a declarative configuration of the AuditAnnotation type for use
 // with apply.
+//
+// AuditAnnotation describes how to produce an audit annotation for an API request.
 type AuditAnnotationApplyConfiguration struct {
-	Key             *string `json:"key,omitempty"`
+	// key specifies the audit annotation key. The audit annotation keys of
+	// a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+	// name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+	//
+	// The key is combined with the resource name of the
+	// ValidatingAdmissionPolicy to construct an audit annotation key:
+	// "{ValidatingAdmissionPolicy name}/{key}".
+	//
+	// If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+	// and the same audit annotation key, the annotation key will be identical.
+	// In this case, the first annotation written with the key will be included
+	// in the audit event and all subsequent annotations with the same key
+	// will be discarded.
+	//
+	// Required.
+	Key *string `json:"key,omitempty"`
+	// valueExpression represents the expression which is evaluated by CEL to
+	// produce an audit annotation value. The expression must evaluate to either
+	// a string or null value. If the expression evaluates to a string, the
+	// audit annotation is included with the string value. If the expression
+	// evaluates to null or empty string the audit annotation will be omitted.
+	// The valueExpression may be no longer than 5kb in length.
+	// If the result of the valueExpression is more than 10kb in length, it
+	// will be truncated to 10kb.
+	//
+	// If multiple ValidatingAdmissionPolicyBinding resources match an
+	// API request, then the valueExpression will be evaluated for
+	// each binding. All unique values produced by the valueExpressions
+	// will be joined together in a comma-separated list.
+	//
+	// Required.
 	ValueExpression *string `json:"valueExpression,omitempty"`
 }
 

applyconfigurations/admissionregistration/v1alpha1/expressionwarning.go

@@ -20,9 +20,17 @@ package v1alpha1
 
 // ExpressionWarningApplyConfiguration represents a declarative configuration of the ExpressionWarning type for use
 // with apply.
+//
+// ExpressionWarning is a warning information that targets a specific expression.
 type ExpressionWarningApplyConfiguration struct {
+	// fieldRef is the path to the field that refers to the expression.
+	// For example, the reference to the expression of the first item of
+	// validations is "spec.validations[0].expression"
 	FieldRef *string `json:"fieldRef,omitempty"`
-	Warning  *string `json:"warning,omitempty"`
+	// warning contains the content of type checking information in a human-readable form.
+	// Each line of the warning contains the type that the expression is checked
+	// against, followed by the type check error from the compiler.
+	Warning *string `json:"warning,omitempty"`
 }
 
 // ExpressionWarningApplyConfiguration constructs a declarative configuration of the ExpressionWarning type for use with

applyconfigurations/admissionregistration/v1alpha1/jsonpatch.go

@@ -20,7 +20,73 @@ package v1alpha1
 
 // JSONPatchApplyConfiguration represents a declarative configuration of the JSONPatch type for use
 // with apply.
+//
+// JSONPatch defines a JSON Patch.
 type JSONPatchApplyConfiguration struct {
+	// expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/).
+	// ref: https://github.com/google/cel-spec
+	//
+	// expression must return an array of JSONPatch values.
+	//
+	// For example, this CEL expression returns a JSON patch to conditionally modify a value:
+	//
+	// [
+	// JSONPatch{op: "test", path: "/spec/example", value: "Red"},
+	// JSONPatch{op: "replace", path: "/spec/example", value: "Green"}
+	// ]
+	//
+	// To define an object for the patch value, use Object types. For example:
+	//
+	// [
+	// JSONPatch{
+	// op: "add",
+	// path: "/spec/selector",
+	// value: Object.spec.selector{matchLabels: {"environment": "test"}}
+	// }
+	// ]
+	//
+	// To use strings containing '/' and '~' as JSONPatch path keys, use "jsonpatch.escapeKey". For example:
+	//
+	// [
+	// JSONPatch{
+	// op: "add",
+	// path: "/metadata/labels/" + jsonpatch.escapeKey("example.com/environment"),
+	// value: "test"
+	// },
+	// ]
+	//
+	// CEL expressions have access to the types needed to create JSON patches and objects:
+	//
+	// - 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.
+	// See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,
+	// integer, array, map or object.  If set, the 'path' and 'from' fields must be set to a
+	// [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL
+	// function may be used to escape path keys containing '/' and '~'.
+	// - 'Object' - CEL type of the resource object.
+	// - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')
+	// - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')
+	//
+	// CEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:
+	//
+	// - 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// - 'oldObject' - The existing object. The value is null for CREATE requests.
+	// - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
+	// - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
+	// - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
+	// - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
+	// For example, a variable named 'foo' can be accessed as 'variables.foo'.
+	// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	//
+	// CEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries)
+	// as well as:
+	//
+	// - 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and  '/' are escaped as '~0' and `~1' respectively).
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Required.
 	Expression *string `json:"expression,omitempty"`
 }
 

applyconfigurations/admissionregistration/v1alpha1/matchcondition.go

@@ -21,7 +21,29 @@ package v1alpha1
 // MatchConditionApplyConfiguration represents a declarative configuration of the MatchCondition type for use
 // with apply.
 type MatchConditionApplyConfiguration struct {
-	Name       *string `json:"name,omitempty"`
+	// name is an identifier for this match condition, used for strategic merging of MatchConditions,
+	// as well as providing an identifier for logging purposes. A good name should be descriptive of
+	// the associated expression.
+	// Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+	// must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+	// '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+	// optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+	//
+	// Required.
+	Name *string `json:"name,omitempty"`
+	// expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+	// CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+	//
+	// 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// 'oldObject' - The existing object. The value is null for CREATE requests.
+	// 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+	// 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+	//
+	// Required.
 	Expression *string `json:"expression,omitempty"`
 }
 

applyconfigurations/admissionregistration/v1alpha1/matchresources.go

@@ -25,12 +25,89 @@ import (
 
 // MatchResourcesApplyConfiguration represents a declarative configuration of the MatchResources type for use
 // with apply.
+//
+// MatchResources decides whether to run the admission control policy on an object based
+// on whether it meets the match criteria.
+// The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
 type MatchResourcesApplyConfiguration struct {
-	NamespaceSelector    *v1.LabelSelectorApplyConfiguration            `json:"namespaceSelector,omitempty"`
-	ObjectSelector       *v1.LabelSelectorApplyConfiguration            `json:"objectSelector,omitempty"`
-	ResourceRules        []NamedRuleWithOperationsApplyConfiguration    `json:"resourceRules,omitempty"`
-	ExcludeResourceRules []NamedRuleWithOperationsApplyConfiguration    `json:"excludeResourceRules,omitempty"`
-	MatchPolicy          *admissionregistrationv1alpha1.MatchPolicyType `json:"matchPolicy,omitempty"`
+	// namespaceSelector decides whether to run the admission control policy on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the policy.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "runlevel",
+	// "operator": "NotIn",
+	// "values": [
+	// "0",
+	// "1"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// If instead you want to only run the policy on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "environment",
+	// "operator": "In",
+	// "values": [
+	// "prod",
+	// "staging"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	NamespaceSelector *v1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
+	// objectSelector decides whether to run the policy based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the policy's expression (CEL), and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	ObjectSelector *v1.LabelSelectorApplyConfiguration `json:"objectSelector,omitempty"`
+	// resourceRules describes what operations on what resources/subresources the admission policy matches.
+	// The policy cares about an operation if it matches _any_ Rule.
+	ResourceRules []NamedRuleWithOperationsApplyConfiguration `json:"resourceRules,omitempty"`
+	// excludeResourceRules describes what operations on what resources/subresources the policy should not care about.
+	// The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
+	ExcludeResourceRules []NamedRuleWithOperationsApplyConfiguration `json:"excludeResourceRules,omitempty"`
+	// matchPolicy defines how the "MatchResources" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// the admission policy does not consider requests to apps/v1beta1 or extensions/v1beta1 API groups.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// the admission policy **does** consider requests made to apps/v1beta1 or extensions/v1beta1
+	// API groups. The API server translates the request to a matched resource API if necessary.
+	//
+	// Defaults to "Equivalent"
+	MatchPolicy *admissionregistrationv1alpha1.MatchPolicyType `json:"matchPolicy,omitempty"`
 }
 
 // MatchResourcesApplyConfiguration constructs a declarative configuration of the MatchResources type for use with

applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicy.go

@@ -29,10 +29,14 @@ import (
 
 // MutatingAdmissionPolicyApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicy type for use
 // with apply.
+//
+// MutatingAdmissionPolicy describes the definition of an admission mutation policy that mutates the object coming into admission chain.
 type MutatingAdmissionPolicyApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:""`
+	// metadata is the standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *MutatingAdmissionPolicySpecApplyConfiguration `json:"spec,omitempty"`
+	// spec defines the desired behavior of the MutatingAdmissionPolicy.
+	Spec *MutatingAdmissionPolicySpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // MutatingAdmissionPolicy constructs a declarative configuration of the MutatingAdmissionPolicy type for use with
@@ -45,29 +49,14 @@ func MutatingAdmissionPolicy(name string) *MutatingAdmissionPolicyApplyConfigura
 	return b
 }
 
-// ExtractMutatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
-// mutatingAdmissionPolicy. If no managedFields are found in mutatingAdmissionPolicy for fieldManager, a
-// MutatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractMutatingAdmissionPolicyFrom extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicy for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // mutatingAdmissionPolicy must be a unmodified MutatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
-// ExtractMutatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractMutatingAdmissionPolicyFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractMutatingAdmissionPolicy(mutatingAdmissionPolicy *admissionregistrationv1alpha1.MutatingAdmissionPolicy, fieldManager string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
-	return extractMutatingAdmissionPolicy(mutatingAdmissionPolicy, fieldManager, "")
-}
-
-// ExtractMutatingAdmissionPolicyStatus is the same as ExtractMutatingAdmissionPolicy except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractMutatingAdmissionPolicyStatus(mutatingAdmissionPolicy *admissionregistrationv1alpha1.MutatingAdmissionPolicy, fieldManager string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
-	return extractMutatingAdmissionPolicy(mutatingAdmissionPolicy, fieldManager, "status")
-}
-
-func extractMutatingAdmissionPolicy(mutatingAdmissionPolicy *admissionregistrationv1alpha1.MutatingAdmissionPolicy, fieldManager string, subresource string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
+func ExtractMutatingAdmissionPolicyFrom(mutatingAdmissionPolicy *admissionregistrationv1alpha1.MutatingAdmissionPolicy, fieldManager string, subresource string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
 	b := &MutatingAdmissionPolicyApplyConfiguration{}
 	err := managedfields.ExtractInto(mutatingAdmissionPolicy, internal.Parser().Type("io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicy"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +68,21 @@ func extractMutatingAdmissionPolicy(mutatingAdmissionPolicy *admissionregistrati
 	b.WithAPIVersion("admissionregistration.k8s.io/v1alpha1")
 	return b, nil
 }
+
+// ExtractMutatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicy. If no managedFields are found in mutatingAdmissionPolicy for fieldManager, a
+// MutatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// mutatingAdmissionPolicy must be a unmodified MutatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
+// ExtractMutatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractMutatingAdmissionPolicy(mutatingAdmissionPolicy *admissionregistrationv1alpha1.MutatingAdmissionPolicy, fieldManager string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
+	return ExtractMutatingAdmissionPolicyFrom(mutatingAdmissionPolicy, fieldManager, "")
+}
+
 func (b MutatingAdmissionPolicyApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value

applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicybinding.go

@@ -29,10 +29,24 @@ import (
 
 // MutatingAdmissionPolicyBindingApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicyBinding type for use
 // with apply.
+//
+// MutatingAdmissionPolicyBinding binds the MutatingAdmissionPolicy with parametrized resources.
+// MutatingAdmissionPolicyBinding and the optional parameter resource together define how cluster administrators
+// configure policies for clusters.
+//
+// For a given admission request, each binding will cause its policy to be
+// evaluated N times, where N is 1 for policies/bindings that don't use
+// params, otherwise N is the number of parameters selected by the binding.
+// Each evaluation is constrained by a [runtime cost budget](https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget).
+//
+// Adding/removing policies, bindings, or params can not affect whether a
+// given (policy, binding, param) combination is within its own CEL budget.
 type MutatingAdmissionPolicyBindingApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:""`
+	// metadata is the standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *MutatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
+	// spec defines the desired behavior of the MutatingAdmissionPolicyBinding.
+	Spec *MutatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // MutatingAdmissionPolicyBinding constructs a declarative configuration of the MutatingAdmissionPolicyBinding type for use with
@@ -45,29 +59,14 @@ func MutatingAdmissionPolicyBinding(name string) *MutatingAdmissionPolicyBinding
 	return b
 }
 
-// ExtractMutatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
-// mutatingAdmissionPolicyBinding. If no managedFields are found in mutatingAdmissionPolicyBinding for fieldManager, a
-// MutatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractMutatingAdmissionPolicyBindingFrom extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicyBinding for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // mutatingAdmissionPolicyBinding must be a unmodified MutatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
-// ExtractMutatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractMutatingAdmissionPolicyBindingFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding *admissionregistrationv1alpha1.MutatingAdmissionPolicyBinding, fieldManager string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding, fieldManager, "")
-}
-
-// ExtractMutatingAdmissionPolicyBindingStatus is the same as ExtractMutatingAdmissionPolicyBinding except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractMutatingAdmissionPolicyBindingStatus(mutatingAdmissionPolicyBinding *admissionregistrationv1alpha1.MutatingAdmissionPolicyBinding, fieldManager string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding, fieldManager, "status")
-}
-
-func extractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding *admissionregistrationv1alpha1.MutatingAdmissionPolicyBinding, fieldManager string, subresource string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
+func ExtractMutatingAdmissionPolicyBindingFrom(mutatingAdmissionPolicyBinding *admissionregistrationv1alpha1.MutatingAdmissionPolicyBinding, fieldManager string, subresource string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
 	b := &MutatingAdmissionPolicyBindingApplyConfiguration{}
 	err := managedfields.ExtractInto(mutatingAdmissionPolicyBinding, internal.Parser().Type("io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBinding"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +78,21 @@ func extractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding *admis
 	b.WithAPIVersion("admissionregistration.k8s.io/v1alpha1")
 	return b, nil
 }
+
+// ExtractMutatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicyBinding. If no managedFields are found in mutatingAdmissionPolicyBinding for fieldManager, a
+// MutatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// mutatingAdmissionPolicyBinding must be a unmodified MutatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
+// ExtractMutatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding *admissionregistrationv1alpha1.MutatingAdmissionPolicyBinding, fieldManager string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
+	return ExtractMutatingAdmissionPolicyBindingFrom(mutatingAdmissionPolicyBinding, fieldManager, "")
+}
+
 func (b MutatingAdmissionPolicyBindingApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value

applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicybindingspec.go

@@ -20,9 +20,27 @@ package v1alpha1
 
 // MutatingAdmissionPolicyBindingSpecApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicyBindingSpec type for use
 // with apply.
+//
+// MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding.
 type MutatingAdmissionPolicyBindingSpecApplyConfiguration struct {
-	PolicyName     *string                           `json:"policyName,omitempty"`
-	ParamRef       *ParamRefApplyConfiguration       `json:"paramRef,omitempty"`
+	// policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to.
+	// If the referenced resource does not exist, this binding is considered invalid and will be ignored
+	// Required.
+	PolicyName *string `json:"policyName,omitempty"`
+	// paramRef specifies the parameter resource used to configure the admission control policy.
+	// It should point to a resource of the type specified in spec.ParamKind of the bound MutatingAdmissionPolicy.
+	// If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the MutatingAdmissionPolicy applied.
+	// If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.
+	ParamRef *ParamRefApplyConfiguration `json:"paramRef,omitempty"`
+	// matchResources limits what resources match this binding and may be mutated by it.
+	// Note that if matchResources matches a resource, the resource must also match a policy's matchConstraints and
+	// matchConditions before the resource may be mutated.
+	// When matchResources is unset, it does not constrain resource matching, and only the policy's matchConstraints
+	// and matchConditions must match for the resource to be mutated.
+	// Additionally, matchResources.resourceRules are optional and do not constraint matching when unset.
+	// Note that this is differs from MutatingAdmissionPolicy matchConstraints, where resourceRules are required.
+	// The CREATE, UPDATE and CONNECT operations are allowed.  The DELETE operation may not be matched.
+	// '*' matches CREATE, UPDATE and CONNECT.
 	MatchResources *MatchResourcesApplyConfiguration `json:"matchResources,omitempty"`
 }
 

applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicyspec.go

@@ -25,14 +25,74 @@ import (
 
 // MutatingAdmissionPolicySpecApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicySpec type for use
 // with apply.
+//
+// MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy.
 type MutatingAdmissionPolicySpecApplyConfiguration struct {
-	ParamKind          *ParamKindApplyConfiguration                     `json:"paramKind,omitempty"`
-	MatchConstraints   *MatchResourcesApplyConfiguration                `json:"matchConstraints,omitempty"`
-	Variables          []VariableApplyConfiguration                     `json:"variables,omitempty"`
-	Mutations          []MutationApplyConfiguration                     `json:"mutations,omitempty"`
-	FailurePolicy      *admissionregistrationv1alpha1.FailurePolicyType `json:"failurePolicy,omitempty"`
-	MatchConditions    []MatchConditionApplyConfiguration               `json:"matchConditions,omitempty"`
-	ReinvocationPolicy *v1.ReinvocationPolicyType                       `json:"reinvocationPolicy,omitempty"`
+	// paramKind specifies the kind of resources used to parameterize this policy.
+	// If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
+	// If paramKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
+	// If paramKind is specified but paramRef is unset in MutatingAdmissionPolicyBinding, the params variable will be null.
+	ParamKind *ParamKindApplyConfiguration `json:"paramKind,omitempty"`
+	// matchConstraints specifies what resources this policy is designed to validate.
+	// The MutatingAdmissionPolicy cares about a request if it matches _all_ Constraints.
+	// However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
+	// MutatingAdmissionPolicy cannot match MutatingAdmissionPolicy and MutatingAdmissionPolicyBinding.
+	// The CREATE, UPDATE and CONNECT operations are allowed.  The DELETE operation may not be matched.
+	// '*' matches CREATE, UPDATE and CONNECT.
+	// Required.
+	MatchConstraints *MatchResourcesApplyConfiguration `json:"matchConstraints,omitempty"`
+	// variables contain definitions of variables that can be used in composition of other expressions.
+	// Each variable is defined as a named CEL expression.
+	// The variables defined here will be available under `variables` in other expressions of the policy
+	// except matchConditions because matchConditions are evaluated before the rest of the policy.
+	//
+	// The expression of a variable can refer to other variables defined earlier in the list but not those after.
+	// Thus, variables must be sorted by the order of first appearance and acyclic.
+	Variables []VariableApplyConfiguration `json:"variables,omitempty"`
+	// mutations contain operations to perform on matching objects.
+	// mutations may not be empty; a minimum of one mutation is required.
+	// mutations are evaluated in order, and are reinvoked according to
+	// the reinvocationPolicy.
+	// The mutations of a policy are invoked for each binding of this policy
+	// and reinvocation of mutations occurs on a per binding basis.
+	Mutations []MutationApplyConfiguration `json:"mutations,omitempty"`
+	// failurePolicy defines how to handle failures for the admission policy. Failures can
+	// occur from CEL expression parse errors, type check errors, runtime errors and invalid
+	// or mis-configured policy definitions or bindings.
+	//
+	// A policy is invalid if paramKind refers to a non-existent Kind.
+	// A binding is invalid if paramRef.name refers to a non-existent resource.
+	//
+	// failurePolicy does not define how validations that evaluate to false are handled.
+	//
+	// Allowed values are Ignore or Fail. Defaults to Fail.
+	FailurePolicy *admissionregistrationv1alpha1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// matchConditions is a list of conditions that must be met for a request to be validated.
+	// Match conditions filter requests that have already been matched by the matchConstraints.
+	// An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// If a parameter object is provided, it can be accessed via the `params` handle in the same
+	// manner as validation expressions.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the policy is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
+	// reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding
+	// as part of a single admission evaluation.
+	// Allowed values are "Never" and "IfNeeded".
+	//
+	// Never: These mutations will not be called more than once per binding in a single admission evaluation.
+	//
+	// IfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of
+	// order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies.  Mutations are only
+	// reinvoked when mutations change the object after this mutation is invoked.
+	// Required.
+	ReinvocationPolicy *v1.ReinvocationPolicyType `json:"reinvocationPolicy,omitempty"`
 }
 
 // MutatingAdmissionPolicySpecApplyConfiguration constructs a declarative configuration of the MutatingAdmissionPolicySpec type for use with

applyconfigurations/admissionregistration/v1alpha1/mutation.go

@@ -24,10 +24,21 @@ import (
 
 // MutationApplyConfiguration represents a declarative configuration of the Mutation type for use
 // with apply.
+//
+// Mutation specifies the CEL expression which is used to apply the Mutation.
 type MutationApplyConfiguration struct {
-	PatchType          *admissionregistrationv1alpha1.PatchType `json:"patchType,omitempty"`
-	ApplyConfiguration *ApplyConfigurationApplyConfiguration    `json:"applyConfiguration,omitempty"`
-	JSONPatch          *JSONPatchApplyConfiguration             `json:"jsonPatch,omitempty"`
+	// patchType indicates the patch strategy used.
+	// Allowed values are "ApplyConfiguration" and "JSONPatch".
+	// Required.
+	PatchType *admissionregistrationv1alpha1.PatchType `json:"patchType,omitempty"`
+	// applyConfiguration defines the desired configuration values of an object.
+	// The configuration is applied to the admission object using
+	// [structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff).
+	// A CEL expression is used to create apply configuration.
+	ApplyConfiguration *ApplyConfigurationApplyConfiguration `json:"applyConfiguration,omitempty"`
+	// jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object.
+	// A CEL expression is used to create the JSON patch.
+	JSONPatch *JSONPatchApplyConfiguration `json:"jsonPatch,omitempty"`
 }
 
 // MutationApplyConfiguration constructs a declarative configuration of the Mutation type for use with

applyconfigurations/admissionregistration/v1alpha1/namedrulewithoperations.go

@@ -25,9 +25,13 @@ import (
 
 // NamedRuleWithOperationsApplyConfiguration represents a declarative configuration of the NamedRuleWithOperations type for use
 // with apply.
+//
+// NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.
 type NamedRuleWithOperationsApplyConfiguration struct {
-	ResourceNames                           []string `json:"resourceNames,omitempty"`
-	v1.RuleWithOperationsApplyConfiguration `json:",inline"`
+	// resourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+	ResourceNames []string `json:"resourceNames,omitempty"`
+	// RuleWithOperations is a tuple of Operations and Resources.
+	v1.RuleWithOperationsApplyConfiguration `json:""`
 }
 
 // NamedRuleWithOperationsApplyConfiguration constructs a declarative configuration of the NamedRuleWithOperations type for use with

applyconfigurations/admissionregistration/v1alpha1/paramkind.go

@@ -20,9 +20,16 @@ package v1alpha1
 
 // ParamKindApplyConfiguration represents a declarative configuration of the ParamKind type for use
 // with apply.
+//
+// ParamKind is a tuple of Group Kind and Version.
 type ParamKindApplyConfiguration struct {
+	// apiVersion is the API group version the resources belong to.
+	// In format of "group/version".
+	// Required.
 	APIVersion *string `json:"apiVersion,omitempty"`
-	Kind       *string `json:"kind,omitempty"`
+	// kind is the API kind the resources belong to.
+	// Required.
+	Kind *string `json:"kind,omitempty"`
 }
 
 // ParamKindApplyConfiguration constructs a declarative configuration of the ParamKind type for use with

applyconfigurations/admissionregistration/v1alpha1/paramref.go

@@ -25,10 +25,48 @@ import (
 
 // ParamRefApplyConfiguration represents a declarative configuration of the ParamRef type for use
 // with apply.
+//
+// ParamRef describes how to locate the params to be used as input to
+// expressions of rules applied by a policy binding.
 type ParamRefApplyConfiguration struct {
-	Name                    *string                                                    `json:"name,omitempty"`
-	Namespace               *string                                                    `json:"namespace,omitempty"`
-	Selector                *v1.LabelSelectorApplyConfiguration                        `json:"selector,omitempty"`
+	// name is the name of the resource being referenced.
+	//
+	// `name` and `selector` are mutually exclusive properties. If one is set,
+	// the other must be unset.
+	Name *string `json:"name,omitempty"`
+	// namespace is the namespace of the referenced resource. Allows limiting
+	// the search for params to a specific namespace. Applies to both `name` and
+	// `selector` fields.
+	//
+	// A per-namespace parameter may be used by specifying a namespace-scoped
+	// `paramKind` in the policy and leaving this field empty.
+	//
+	// - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+	// field results in a configuration error.
+	//
+	// - If `paramKind` is namespace-scoped, the namespace of the object being
+	// evaluated for admission will be used when this field is left unset. Take
+	// care that if this is left empty the binding must not match any cluster-scoped
+	// resources, which will result in an error.
+	Namespace *string `json:"namespace,omitempty"`
+	// selector can be used to match multiple param objects based on their labels.
+	// Supply selector: {} to match all resources of the ParamKind.
+	//
+	// If multiple params are found, they are all evaluated with the policy expressions
+	// and the results are ANDed together.
+	//
+	// One of `name` or `selector` must be set, but `name` and `selector` are
+	// mutually exclusive properties. If one is set, the other must be unset.
+	Selector *v1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// parameterNotFoundAction controls the behavior of the binding when the resource
+	// exists, and name or selector is valid, but there are no parameters
+	// matched by the binding. If the value is set to `Allow`, then no
+	// matched parameters will be treated as successful validation by the binding.
+	// If set to `Deny`, then no matched parameters will be subject to the
+	// `failurePolicy` of the policy.
+	//
+	// Allowed values are `Allow` or `Deny`
+	// Default to `Deny`
 	ParameterNotFoundAction *admissionregistrationv1alpha1.ParameterNotFoundActionType `json:"parameterNotFoundAction,omitempty"`
 }
 

applyconfigurations/admissionregistration/v1alpha1/typechecking.go

@@ -20,7 +20,11 @@ package v1alpha1
 
 // TypeCheckingApplyConfiguration represents a declarative configuration of the TypeChecking type for use
 // with apply.
+//
+// TypeChecking contains results of type checking the expressions in the
+// ValidatingAdmissionPolicy
 type TypeCheckingApplyConfiguration struct {
+	// expressionWarnings contains the type checking warnings for each expression.
 	ExpressionWarnings []ExpressionWarningApplyConfiguration `json:"expressionWarnings,omitempty"`
 }
 

applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicy.go

@@ -29,11 +29,19 @@ import (
 
 // ValidatingAdmissionPolicyApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicy type for use
 // with apply.
+//
+// ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.
 type ValidatingAdmissionPolicyApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:""`
+	// metadata is the standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ValidatingAdmissionPolicySpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *ValidatingAdmissionPolicyStatusApplyConfiguration `json:"status,omitempty"`
+	// spec defines the desired behavior of the ValidatingAdmissionPolicy.
+	Spec *ValidatingAdmissionPolicySpecApplyConfiguration `json:"spec,omitempty"`
+	// status represents the current status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy
+	// behaves in the expected way.
+	// Populated by the system.
+	// Read-only.
+	Status *ValidatingAdmissionPolicyStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ValidatingAdmissionPolicy constructs a declarative configuration of the ValidatingAdmissionPolicy type for use with
@@ -46,29 +54,14 @@ func ValidatingAdmissionPolicy(name string) *ValidatingAdmissionPolicyApplyConfi
 	return b
 }
 
-// ExtractValidatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
-// validatingAdmissionPolicy. If no managedFields are found in validatingAdmissionPolicy for fieldManager, a
-// ValidatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractValidatingAdmissionPolicyFrom extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicy for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // validatingAdmissionPolicy must be a unmodified ValidatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
-// ExtractValidatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractValidatingAdmissionPolicyFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicy(validatingAdmissionPolicy, fieldManager, "")
-}
-
-// ExtractValidatingAdmissionPolicyStatus is the same as ExtractValidatingAdmissionPolicy except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractValidatingAdmissionPolicyStatus(validatingAdmissionPolicy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicy(validatingAdmissionPolicy, fieldManager, "status")
-}
-
-func extractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy, fieldManager string, subresource string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
+func ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy, fieldManager string, subresource string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
 	b := &ValidatingAdmissionPolicyApplyConfiguration{}
 	err := managedfields.ExtractInto(validatingAdmissionPolicy, internal.Parser().Type("io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy"), fieldManager, b, subresource)
 	if err != nil {
@@ -80,6 +73,27 @@ func extractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregist
 	b.WithAPIVersion("admissionregistration.k8s.io/v1alpha1")
 	return b, nil
 }
+
+// ExtractValidatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicy. If no managedFields are found in validatingAdmissionPolicy for fieldManager, a
+// ValidatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// validatingAdmissionPolicy must be a unmodified ValidatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
+// ExtractValidatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
+	return ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy, fieldManager, "")
+}
+
+// ExtractValidatingAdmissionPolicyStatus extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicy for the status subresource.
+func ExtractValidatingAdmissionPolicyStatus(validatingAdmissionPolicy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
+	return ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy, fieldManager, "status")
+}
+
 func (b ValidatingAdmissionPolicyApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value

applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicybinding.go

@@ -29,10 +29,24 @@ import (
 
 // ValidatingAdmissionPolicyBindingApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyBinding type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources.
+// ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.
+//
+// For a given admission request, each binding will cause its policy to be
+// evaluated N times, where N is 1 for policies/bindings that don't use
+// params, otherwise N is the number of parameters selected by the binding.
+//
+// The CEL expressions of a policy must have a computed CEL cost below the maximum
+// CEL budget. Each evaluation of the policy is given an independent CEL cost budget.
+// Adding/removing policies, bindings, or params can not affect whether a
+// given (policy, binding, param) combination is within its own CEL budget.
 type ValidatingAdmissionPolicyBindingApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:""`
+	// metadata is the standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ValidatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
+	// spec defines the desired behavior of the ValidatingAdmissionPolicyBinding.
+	Spec *ValidatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // ValidatingAdmissionPolicyBinding constructs a declarative configuration of the ValidatingAdmissionPolicyBinding type for use with
@@ -45,29 +59,14 @@ func ValidatingAdmissionPolicyBinding(name string) *ValidatingAdmissionPolicyBin
 	return b
 }
 
-// ExtractValidatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
-// validatingAdmissionPolicyBinding. If no managedFields are found in validatingAdmissionPolicyBinding for fieldManager, a
-// ValidatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractValidatingAdmissionPolicyBindingFrom extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicyBinding for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // validatingAdmissionPolicyBinding must be a unmodified ValidatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
-// ExtractValidatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractValidatingAdmissionPolicyBindingFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding, fieldManager, "")
-}
-
-// ExtractValidatingAdmissionPolicyBindingStatus is the same as ExtractValidatingAdmissionPolicyBinding except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractValidatingAdmissionPolicyBindingStatus(validatingAdmissionPolicyBinding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding, fieldManager, "status")
-}
-
-func extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, fieldManager string, subresource string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
+func ExtractValidatingAdmissionPolicyBindingFrom(validatingAdmissionPolicyBinding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, fieldManager string, subresource string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
 	b := &ValidatingAdmissionPolicyBindingApplyConfiguration{}
 	err := managedfields.ExtractInto(validatingAdmissionPolicyBinding, internal.Parser().Type("io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBinding"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +78,21 @@ func extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *a
 	b.WithAPIVersion("admissionregistration.k8s.io/v1alpha1")
 	return b, nil
 }
+
+// ExtractValidatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicyBinding. If no managedFields are found in validatingAdmissionPolicyBinding for fieldManager, a
+// ValidatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// validatingAdmissionPolicyBinding must be a unmodified ValidatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
+// ExtractValidatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
+	return ExtractValidatingAdmissionPolicyBindingFrom(validatingAdmissionPolicyBinding, fieldManager, "")
+}
+
 func (b ValidatingAdmissionPolicyBindingApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value

applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicybindingspec.go

@@ -24,10 +24,63 @@ import (
 
 // ValidatingAdmissionPolicyBindingSpecApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyBindingSpec type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.
 type ValidatingAdmissionPolicyBindingSpecApplyConfiguration struct {
-	PolicyName        *string                                          `json:"policyName,omitempty"`
-	ParamRef          *ParamRefApplyConfiguration                      `json:"paramRef,omitempty"`
-	MatchResources    *MatchResourcesApplyConfiguration                `json:"matchResources,omitempty"`
+	// policyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to.
+	// If the referenced resource does not exist, this binding is considered invalid and will be ignored
+	// Required.
+	PolicyName *string `json:"policyName,omitempty"`
+	// paramRef specifies the parameter resource used to configure the admission control policy.
+	// It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy.
+	// If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied.
+	// If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.
+	ParamRef *ParamRefApplyConfiguration `json:"paramRef,omitempty"`
+	// matchResources declares what resources match this binding and will be validated by it.
+	// Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this.
+	// If this is unset, all resources matched by the policy are validated by this binding
+	// When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated.
+	// Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required.
+	MatchResources *MatchResourcesApplyConfiguration `json:"matchResources,omitempty"`
+	// validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced.
+	// If a validation evaluates to false it is always enforced according to these actions.
+	//
+	// Failures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according
+	// to these actions only if the FailurePolicy is set to Fail, otherwise the failures are
+	// ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.
+	//
+	// validationActions is declared as a set of action values. Order does
+	// not matter. validationActions may not contain duplicates of the same action.
+	//
+	// The supported actions values are:
+	//
+	// "Deny" specifies that a validation failure results in a denied request.
+	//
+	// "Warn" specifies that a validation failure is reported to the request client
+	// in HTTP Warning headers, with a warning code of 299. Warnings can be sent
+	// both for allowed or denied admission responses.
+	//
+	// "Audit" specifies that a validation failure is included in the published
+	// audit event for the request. The audit event will contain a
+	// `validation.policy.admission.k8s.io/validation_failure` audit annotation
+	// with a value containing the details of the validation failures, formatted as
+	// a JSON list of objects, each with the following fields:
+	// - message: The validation failure message string
+	// - policy: The resource name of the ValidatingAdmissionPolicy
+	// - binding: The resource name of the ValidatingAdmissionPolicyBinding
+	// - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy
+	// - validationActions: The enforcement actions enacted for the validation failure
+	// Example audit annotation:
+	// `"validation.policy.admission.k8s.io/validation_failure": "[{\"message\": \"Invalid value\", {\"policy\": \"policy.example.com\", {\"binding\": \"policybinding.example.com\", {\"expressionIndex\": \"1\", {\"validationActions\": [\"Audit\"]}]"`
+	//
+	// Clients should expect to handle additional values by ignoring
+	// any values not recognized.
+	//
+	// "Deny" and "Warn" may not be used together since this combination
+	// needlessly duplicates the validation failure both in the
+	// API response body and the HTTP warning headers.
+	//
+	// Required.
 	ValidationActions []admissionregistrationv1alpha1.ValidationAction `json:"validationActions,omitempty"`
 }
 

applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicyspec.go

@@ -24,14 +24,66 @@ import (
 
 // ValidatingAdmissionPolicySpecApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicySpec type for use
 // with apply.
+//
+// ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.
 type ValidatingAdmissionPolicySpecApplyConfiguration struct {
-	ParamKind        *ParamKindApplyConfiguration                     `json:"paramKind,omitempty"`
-	MatchConstraints *MatchResourcesApplyConfiguration                `json:"matchConstraints,omitempty"`
-	Validations      []ValidationApplyConfiguration                   `json:"validations,omitempty"`
-	FailurePolicy    *admissionregistrationv1alpha1.FailurePolicyType `json:"failurePolicy,omitempty"`
-	AuditAnnotations []AuditAnnotationApplyConfiguration              `json:"auditAnnotations,omitempty"`
-	MatchConditions  []MatchConditionApplyConfiguration               `json:"matchConditions,omitempty"`
-	Variables        []VariableApplyConfiguration                     `json:"variables,omitempty"`
+	// paramKind specifies the kind of resources used to parameterize this policy.
+	// If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
+	// If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
+	// If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.
+	ParamKind *ParamKindApplyConfiguration `json:"paramKind,omitempty"`
+	// matchConstraints specifies what resources this policy is designed to validate.
+	// The AdmissionPolicy cares about a request if it matches _all_ Constraints.
+	// However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
+	// ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding.
+	// Required.
+	MatchConstraints *MatchResourcesApplyConfiguration `json:"matchConstraints,omitempty"`
+	// validations contain CEL expressions which is used to apply the validation.
+	// Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is
+	// required.
+	Validations []ValidationApplyConfiguration `json:"validations,omitempty"`
+	// failurePolicy defines how to handle failures for the admission policy. Failures can
+	// occur from CEL expression parse errors, type check errors, runtime errors and invalid
+	// or mis-configured policy definitions or bindings.
+	//
+	// A policy is invalid if spec.paramKind refers to a non-existent Kind.
+	// A binding is invalid if spec.paramRef.name refers to a non-existent resource.
+	//
+	// failurePolicy does not define how validations that evaluate to false are handled.
+	//
+	// When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions
+	// define how failures are enforced.
+	//
+	// Allowed values are Ignore or Fail. Defaults to Fail.
+	FailurePolicy *admissionregistrationv1alpha1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// auditAnnotations contains CEL expressions which are used to produce audit
+	// annotations for the audit event of the API request.
+	// validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is
+	// required.
+	AuditAnnotations []AuditAnnotationApplyConfiguration `json:"auditAnnotations,omitempty"`
+	// matchConditions is a list of conditions that must be met for a request to be validated.
+	// Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// If a parameter object is provided, it can be accessed via the `params` handle in the same
+	// manner as validation expressions.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the policy is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
+	// variables contain definitions of variables that can be used in composition of other expressions.
+	// Each variable is defined as a named CEL expression.
+	// The variables defined here will be available under `variables` in other expressions of the policy
+	// except MatchConditions because MatchConditions are evaluated before the rest of the policy.
+	//
+	// The expression of a variable can refer to other variables defined earlier in the list but not those after.
+	// Thus, Variables must be sorted by the order of first appearance and acyclic.
+	Variables []VariableApplyConfiguration `json:"variables,omitempty"`
 }
 
 // ValidatingAdmissionPolicySpecApplyConfiguration constructs a declarative configuration of the ValidatingAdmissionPolicySpec type for use with

applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicystatus.go

@@ -24,10 +24,16 @@ import (
 
 // ValidatingAdmissionPolicyStatusApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyStatus type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyStatus represents the status of a ValidatingAdmissionPolicy.
 type ValidatingAdmissionPolicyStatusApplyConfiguration struct {
-	ObservedGeneration *int64                           `json:"observedGeneration,omitempty"`
-	TypeChecking       *TypeCheckingApplyConfiguration  `json:"typeChecking,omitempty"`
-	Conditions         []v1.ConditionApplyConfiguration `json:"conditions,omitempty"`
+	// observedGeneration is the generation observed by the controller.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// typeChecking contains the results of type checking for each expression.
+	// Presence of this field indicates the completion of the type checking.
+	TypeChecking *TypeCheckingApplyConfiguration `json:"typeChecking,omitempty"`
+	// conditions represent the latest available observations of a policy's current state.
+	Conditions []v1.ConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // ValidatingAdmissionPolicyStatusApplyConfiguration constructs a declarative configuration of the ValidatingAdmissionPolicyStatus type for use with

applyconfigurations/admissionregistration/v1alpha1/validation.go

@@ -24,11 +24,77 @@ import (
 
 // ValidationApplyConfiguration represents a declarative configuration of the Validation type for use
 // with apply.
+//
+// Validation specifies the CEL expression which is used to apply the validation.
 type ValidationApplyConfiguration struct {
-	Expression        *string          `json:"expression,omitempty"`
-	Message           *string          `json:"message,omitempty"`
-	Reason            *v1.StatusReason `json:"reason,omitempty"`
-	MessageExpression *string          `json:"messageExpression,omitempty"`
+	// expression represents the expression which will be evaluated by CEL.
+	// ref: https://github.com/google/cel-spec
+	// CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:
+	//
+	// - 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// - 'oldObject' - The existing object. The value is null for CREATE requests.
+	// - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
+	// - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
+	// - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
+	// - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
+	// For example, a variable named 'foo' can be accessed as 'variables.foo'.
+	// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	//
+	// The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
+	// object. No other metadata properties are accessible.
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Accessible property names are escaped according to the following rules when accessed in the expression:
+	// - '__' escapes to '__underscores__'
+	// - '.' escapes to '__dot__'
+	// - '-' escapes to '__dash__'
+	// - '/' escapes to '__slash__'
+	// - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:
+	// "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if",
+	// "import", "let", "loop", "package", "namespace", "return".
+	// Examples:
+	// - Expression accessing a property named "namespace": {"Expression": "object.__namespace__ > 0"}
+	// - Expression accessing a property named "x-prop": {"Expression": "object.x__dash__prop > 0"}
+	// - Expression accessing a property named "redact__d": {"Expression": "object.redact__underscores__d > 0"}
+	//
+	// Equality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].
+	// Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
+	// - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and
+	// non-intersecting elements in `Y` are appended, retaining their partial order.
+	// - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values
+	// are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with
+	// non-intersecting keys are appended, retaining their partial order.
+	// Required.
+	Expression *string `json:"expression,omitempty"`
+	// message represents the message displayed when validation fails. The message is required if the Expression contains
+	// line breaks. The message must not contain line breaks.
+	// If unset, the message is "failed rule: {Rule}".
+	// e.g. "must be a URL with the host matching spec.host"
+	// If the Expression contains line breaks. Message is required.
+	// The message must not contain line breaks.
+	// If unset, the message is "failed Expression: {Expression}".
+	Message *string `json:"message,omitempty"`
+	// reason represents a machine-readable description of why this validation failed.
+	// If this is the first validation in the list to fail, this reason, as well as the
+	// corresponding HTTP response code, are used in the
+	// HTTP response to the client.
+	// The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+	// If not set, StatusReasonInvalid is used in the response to the client.
+	Reason *v1.StatusReason `json:"reason,omitempty"`
+	// messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+	// Since messageExpression is used as a failure message, it must evaluate to a string.
+	// If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+	// If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+	// as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+	// that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+	// the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+	// messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+	// Example:
+	// "object.x must be less than max ("+string(params.max)+")"
+	MessageExpression *string `json:"messageExpression,omitempty"`
 }
 
 // ValidationApplyConfiguration constructs a declarative configuration of the Validation type for use with

applyconfigurations/admissionregistration/v1alpha1/variable.go

@@ -20,8 +20,15 @@ package v1alpha1
 
 // VariableApplyConfiguration represents a declarative configuration of the Variable type for use
 // with apply.
+//
+// Variable is the definition of a variable that is used for composition.
 type VariableApplyConfiguration struct {
-	Name       *string `json:"name,omitempty"`
+	// name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+	// The variable can be accessed in other expressions through `variables`
+	// For example, if name is "foo", the variable will be available as `variables.foo`
+	Name *string `json:"name,omitempty"`
+	// expression is the expression that will be evaluated as the value of the variable.
+	// The CEL expression has access to the same identifiers as the CEL expressions in Validation.
 	Expression *string `json:"expression,omitempty"`
 }
 

applyconfigurations/admissionregistration/v1beta1/applyconfiguration.go

@@ -20,7 +20,49 @@ package v1beta1
 
 // ApplyConfigurationApplyConfiguration represents a declarative configuration of the ApplyConfiguration type for use
 // with apply.
+//
+// ApplyConfiguration defines the desired configuration values of an object.
 type ApplyConfigurationApplyConfiguration struct {
+	// expression will be evaluated by CEL to create an apply configuration.
+	// ref: https://github.com/google/cel-spec
+	//
+	// Apply configurations are declared in CEL using object initialization. For example, this CEL expression
+	// returns an apply configuration to set a single field:
+	//
+	// Object{
+	// spec: Object.spec{
+	// serviceAccountName: "example"
+	// }
+	// }
+	//
+	// Apply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of
+	// values not included in the apply configuration.
+	//
+	// CEL expressions have access to the object types needed to create apply configurations:
+	//
+	// - 'Object' - CEL type of the resource object.
+	// - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')
+	// - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')
+	//
+	// CEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:
+	//
+	// - 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// - 'oldObject' - The existing object. The value is null for CREATE requests.
+	// - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
+	// - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
+	// - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
+	// - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
+	// For example, a variable named 'foo' can be accessed as 'variables.foo'.
+	// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	//
+	// The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
+	// object. No other metadata properties are accessible.
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Required.
 	Expression *string `json:"expression,omitempty"`
 }
 

applyconfigurations/admissionregistration/v1beta1/auditannotation.go

@@ -20,8 +20,40 @@ package v1beta1
 
 // AuditAnnotationApplyConfiguration represents a declarative configuration of the AuditAnnotation type for use
 // with apply.
+//
+// AuditAnnotation describes how to produce an audit annotation for an API request.
 type AuditAnnotationApplyConfiguration struct {
-	Key             *string `json:"key,omitempty"`
+	// key specifies the audit annotation key. The audit annotation keys of
+	// a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+	// name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+	//
+	// The key is combined with the resource name of the
+	// ValidatingAdmissionPolicy to construct an audit annotation key:
+	// "{ValidatingAdmissionPolicy name}/{key}".
+	//
+	// If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+	// and the same audit annotation key, the annotation key will be identical.
+	// In this case, the first annotation written with the key will be included
+	// in the audit event and all subsequent annotations with the same key
+	// will be discarded.
+	//
+	// Required.
+	Key *string `json:"key,omitempty"`
+	// valueExpression represents the expression which is evaluated by CEL to
+	// produce an audit annotation value. The expression must evaluate to either
+	// a string or null value. If the expression evaluates to a string, the
+	// audit annotation is included with the string value. If the expression
+	// evaluates to null or empty string the audit annotation will be omitted.
+	// The valueExpression may be no longer than 5kb in length.
+	// If the result of the valueExpression is more than 10kb in length, it
+	// will be truncated to 10kb.
+	//
+	// If multiple ValidatingAdmissionPolicyBinding resources match an
+	// API request, then the valueExpression will be evaluated for
+	// each binding. All unique values produced by the valueExpressions
+	// will be joined together in a comma-separated list.
+	//
+	// Required.
 	ValueExpression *string `json:"valueExpression,omitempty"`
 }
 

applyconfigurations/admissionregistration/v1beta1/expressionwarning.go

@@ -20,9 +20,17 @@ package v1beta1
 
 // ExpressionWarningApplyConfiguration represents a declarative configuration of the ExpressionWarning type for use
 // with apply.
+//
+// ExpressionWarning is a warning information that targets a specific expression.
 type ExpressionWarningApplyConfiguration struct {
+	// fieldRef is the path to the field that refers to the expression.
+	// For example, the reference to the expression of the first item of
+	// validations is "spec.validations[0].expression"
 	FieldRef *string `json:"fieldRef,omitempty"`
-	Warning  *string `json:"warning,omitempty"`
+	// warning contains the content of type checking information in a human-readable form.
+	// Each line of the warning contains the type that the expression is checked
+	// against, followed by the type check error from the compiler.
+	Warning *string `json:"warning,omitempty"`
 }
 
 // ExpressionWarningApplyConfiguration constructs a declarative configuration of the ExpressionWarning type for use with

applyconfigurations/admissionregistration/v1beta1/jsonpatch.go

@@ -20,7 +20,73 @@ package v1beta1
 
 // JSONPatchApplyConfiguration represents a declarative configuration of the JSONPatch type for use
 // with apply.
+//
+// JSONPatch defines a JSON Patch.
 type JSONPatchApplyConfiguration struct {
+	// expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/).
+	// ref: https://github.com/google/cel-spec
+	//
+	// expression must return an array of JSONPatch values.
+	//
+	// For example, this CEL expression returns a JSON patch to conditionally modify a value:
+	//
+	// [
+	// JSONPatch{op: "test", path: "/spec/example", value: "Red"},
+	// JSONPatch{op: "replace", path: "/spec/example", value: "Green"}
+	// ]
+	//
+	// To define an object for the patch value, use Object types. For example:
+	//
+	// [
+	// JSONPatch{
+	// op: "add",
+	// path: "/spec/selector",
+	// value: Object.spec.selector{matchLabels: {"environment": "test"}}
+	// }
+	// ]
+	//
+	// To use strings containing '/' and '~' as JSONPatch path keys, use "jsonpatch.escapeKey". For example:
+	//
+	// [
+	// JSONPatch{
+	// op: "add",
+	// path: "/metadata/labels/" + jsonpatch.escapeKey("example.com/environment"),
+	// value: "test"
+	// },
+	// ]
+	//
+	// CEL expressions have access to the types needed to create JSON patches and objects:
+	//
+	// - 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.
+	// See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,
+	// integer, array, map or object.  If set, the 'path' and 'from' fields must be set to a
+	// [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL
+	// function may be used to escape path keys containing '/' and '~'.
+	// - 'Object' - CEL type of the resource object.
+	// - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')
+	// - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')
+	//
+	// CEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:
+	//
+	// - 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// - 'oldObject' - The existing object. The value is null for CREATE requests.
+	// - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
+	// - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
+	// - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
+	// - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
+	// For example, a variable named 'foo' can be accessed as 'variables.foo'.
+	// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	//
+	// CEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries)
+	// as well as:
+	//
+	// - 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and  '/' are escaped as '~0' and `~1' respectively).
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Required.
 	Expression *string `json:"expression,omitempty"`
 }
 

applyconfigurations/admissionregistration/v1beta1/matchcondition.go

@@ -20,8 +20,32 @@ package v1beta1
 
 // MatchConditionApplyConfiguration represents a declarative configuration of the MatchCondition type for use
 // with apply.
+//
+// MatchCondition represents a condition which must be fulfilled for a request to be sent to a webhook.
 type MatchConditionApplyConfiguration struct {
-	Name       *string `json:"name,omitempty"`
+	// name is an identifier for this match condition, used for strategic merging of MatchConditions,
+	// as well as providing an identifier for logging purposes. A good name should be descriptive of
+	// the associated expression.
+	// Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+	// must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+	// '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+	// optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+	//
+	// Required.
+	Name *string `json:"name,omitempty"`
+	// expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+	// CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+	//
+	// 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// 'oldObject' - The existing object. The value is null for CREATE requests.
+	// 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+	// 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+	//
+	// Required.
 	Expression *string `json:"expression,omitempty"`
 }
 

applyconfigurations/admissionregistration/v1beta1/matchresources.go

@@ -25,12 +25,88 @@ import (
 
 // MatchResourcesApplyConfiguration represents a declarative configuration of the MatchResources type for use
 // with apply.
+//
+// MatchResources decides whether to run the admission control policy on an object based
+// on whether it meets the match criteria.
+// The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
 type MatchResourcesApplyConfiguration struct {
-	NamespaceSelector    *v1.LabelSelectorApplyConfiguration           `json:"namespaceSelector,omitempty"`
-	ObjectSelector       *v1.LabelSelectorApplyConfiguration           `json:"objectSelector,omitempty"`
-	ResourceRules        []NamedRuleWithOperationsApplyConfiguration   `json:"resourceRules,omitempty"`
-	ExcludeResourceRules []NamedRuleWithOperationsApplyConfiguration   `json:"excludeResourceRules,omitempty"`
-	MatchPolicy          *admissionregistrationv1beta1.MatchPolicyType `json:"matchPolicy,omitempty"`
+	// namespaceSelector decides whether to run the admission control policy on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the policy.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "runlevel",
+	// "operator": "NotIn",
+	// "values": [
+	// "0",
+	// "1"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// If instead you want to only run the policy on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "environment",
+	// "operator": "In",
+	// "values": [
+	// "prod",
+	// "staging"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	NamespaceSelector *v1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
+	// objectSelector decides whether to run the validation based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the cel validation, and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	ObjectSelector *v1.LabelSelectorApplyConfiguration `json:"objectSelector,omitempty"`
+	// resourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.
+	// The policy cares about an operation if it matches _any_ Rule.
+	ResourceRules []NamedRuleWithOperationsApplyConfiguration `json:"resourceRules,omitempty"`
+	// excludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.
+	// The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
+	ExcludeResourceRules []NamedRuleWithOperationsApplyConfiguration `json:"excludeResourceRules,omitempty"`
+	// matchPolicy defines how the "MatchResources" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.
+	//
+	// Defaults to "Equivalent"
+	MatchPolicy *admissionregistrationv1beta1.MatchPolicyType `json:"matchPolicy,omitempty"`
 }
 
 // MatchResourcesApplyConfiguration constructs a declarative configuration of the MatchResources type for use with

applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicy.go

@@ -29,10 +29,14 @@ import (
 
 // MutatingAdmissionPolicyApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicy type for use
 // with apply.
+//
+// MutatingAdmissionPolicy describes the definition of an admission mutation policy that mutates the object coming into admission chain.
 type MutatingAdmissionPolicyApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:""`
+	// metadata is the standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *MutatingAdmissionPolicySpecApplyConfiguration `json:"spec,omitempty"`
+	// spec defines the desired behavior of the MutatingAdmissionPolicy.
+	Spec *MutatingAdmissionPolicySpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // MutatingAdmissionPolicy constructs a declarative configuration of the MutatingAdmissionPolicy type for use with
@@ -45,29 +49,14 @@ func MutatingAdmissionPolicy(name string) *MutatingAdmissionPolicyApplyConfigura
 	return b
 }
 
-// ExtractMutatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
-// mutatingAdmissionPolicy. If no managedFields are found in mutatingAdmissionPolicy for fieldManager, a
-// MutatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractMutatingAdmissionPolicyFrom extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicy for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // mutatingAdmissionPolicy must be a unmodified MutatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
-// ExtractMutatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractMutatingAdmissionPolicyFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractMutatingAdmissionPolicy(mutatingAdmissionPolicy *admissionregistrationv1beta1.MutatingAdmissionPolicy, fieldManager string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
-	return extractMutatingAdmissionPolicy(mutatingAdmissionPolicy, fieldManager, "")
-}
-
-// ExtractMutatingAdmissionPolicyStatus is the same as ExtractMutatingAdmissionPolicy except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractMutatingAdmissionPolicyStatus(mutatingAdmissionPolicy *admissionregistrationv1beta1.MutatingAdmissionPolicy, fieldManager string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
-	return extractMutatingAdmissionPolicy(mutatingAdmissionPolicy, fieldManager, "status")
-}
-
-func extractMutatingAdmissionPolicy(mutatingAdmissionPolicy *admissionregistrationv1beta1.MutatingAdmissionPolicy, fieldManager string, subresource string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
+func ExtractMutatingAdmissionPolicyFrom(mutatingAdmissionPolicy *admissionregistrationv1beta1.MutatingAdmissionPolicy, fieldManager string, subresource string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
 	b := &MutatingAdmissionPolicyApplyConfiguration{}
 	err := managedfields.ExtractInto(mutatingAdmissionPolicy, internal.Parser().Type("io.k8s.api.admissionregistration.v1beta1.MutatingAdmissionPolicy"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +68,21 @@ func extractMutatingAdmissionPolicy(mutatingAdmissionPolicy *admissionregistrati
 	b.WithAPIVersion("admissionregistration.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractMutatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicy. If no managedFields are found in mutatingAdmissionPolicy for fieldManager, a
+// MutatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// mutatingAdmissionPolicy must be a unmodified MutatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
+// ExtractMutatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractMutatingAdmissionPolicy(mutatingAdmissionPolicy *admissionregistrationv1beta1.MutatingAdmissionPolicy, fieldManager string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
+	return ExtractMutatingAdmissionPolicyFrom(mutatingAdmissionPolicy, fieldManager, "")
+}
+
 func (b MutatingAdmissionPolicyApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value

applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicybinding.go

@@ -29,10 +29,24 @@ import (
 
 // MutatingAdmissionPolicyBindingApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicyBinding type for use
 // with apply.
+//
+// MutatingAdmissionPolicyBinding binds the MutatingAdmissionPolicy with parametrized resources.
+// MutatingAdmissionPolicyBinding and the optional parameter resource together define how cluster administrators
+// configure policies for clusters.
+//
+// For a given admission request, each binding will cause its policy to be
+// evaluated N times, where N is 1 for policies/bindings that don't use
+// params, otherwise N is the number of parameters selected by the binding.
+// Each evaluation is constrained by a [runtime cost budget](https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget).
+//
+// Adding/removing policies, bindings, or params can not affect whether a
+// given (policy, binding, param) combination is within its own CEL budget.
 type MutatingAdmissionPolicyBindingApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:""`
+	// metadata is the standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *MutatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
+	// spec defines the desired behavior of the MutatingAdmissionPolicyBinding.
+	Spec *MutatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // MutatingAdmissionPolicyBinding constructs a declarative configuration of the MutatingAdmissionPolicyBinding type for use with
@@ -45,29 +59,14 @@ func MutatingAdmissionPolicyBinding(name string) *MutatingAdmissionPolicyBinding
 	return b
 }
 
-// ExtractMutatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
-// mutatingAdmissionPolicyBinding. If no managedFields are found in mutatingAdmissionPolicyBinding for fieldManager, a
-// MutatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractMutatingAdmissionPolicyBindingFrom extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicyBinding for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // mutatingAdmissionPolicyBinding must be a unmodified MutatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
-// ExtractMutatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractMutatingAdmissionPolicyBindingFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding *admissionregistrationv1beta1.MutatingAdmissionPolicyBinding, fieldManager string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding, fieldManager, "")
-}
-
-// ExtractMutatingAdmissionPolicyBindingStatus is the same as ExtractMutatingAdmissionPolicyBinding except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractMutatingAdmissionPolicyBindingStatus(mutatingAdmissionPolicyBinding *admissionregistrationv1beta1.MutatingAdmissionPolicyBinding, fieldManager string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding, fieldManager, "status")
-}
-
-func extractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding *admissionregistrationv1beta1.MutatingAdmissionPolicyBinding, fieldManager string, subresource string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
+func ExtractMutatingAdmissionPolicyBindingFrom(mutatingAdmissionPolicyBinding *admissionregistrationv1beta1.MutatingAdmissionPolicyBinding, fieldManager string, subresource string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
 	b := &MutatingAdmissionPolicyBindingApplyConfiguration{}
 	err := managedfields.ExtractInto(mutatingAdmissionPolicyBinding, internal.Parser().Type("io.k8s.api.admissionregistration.v1beta1.MutatingAdmissionPolicyBinding"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +78,21 @@ func extractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding *admis
 	b.WithAPIVersion("admissionregistration.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractMutatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicyBinding. If no managedFields are found in mutatingAdmissionPolicyBinding for fieldManager, a
+// MutatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// mutatingAdmissionPolicyBinding must be a unmodified MutatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
+// ExtractMutatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding *admissionregistrationv1beta1.MutatingAdmissionPolicyBinding, fieldManager string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
+	return ExtractMutatingAdmissionPolicyBindingFrom(mutatingAdmissionPolicyBinding, fieldManager, "")
+}
+
 func (b MutatingAdmissionPolicyBindingApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value

applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicybindingspec.go

@@ -20,9 +20,27 @@ package v1beta1
 
 // MutatingAdmissionPolicyBindingSpecApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicyBindingSpec type for use
 // with apply.
+//
+// MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding.
 type MutatingAdmissionPolicyBindingSpecApplyConfiguration struct {
-	PolicyName     *string                           `json:"policyName,omitempty"`
-	ParamRef       *ParamRefApplyConfiguration       `json:"paramRef,omitempty"`
+	// policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to.
+	// If the referenced resource does not exist, this binding is considered invalid and will be ignored
+	// Required.
+	PolicyName *string `json:"policyName,omitempty"`
+	// paramRef specifies the parameter resource used to configure the admission control policy.
+	// It should point to a resource of the type specified in spec.ParamKind of the bound MutatingAdmissionPolicy.
+	// If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the MutatingAdmissionPolicy applied.
+	// If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.
+	ParamRef *ParamRefApplyConfiguration `json:"paramRef,omitempty"`
+	// matchResources limits what resources match this binding and may be mutated by it.
+	// Note that if matchResources matches a resource, the resource must also match a policy's matchConstraints and
+	// matchConditions before the resource may be mutated.
+	// When matchResources is unset, it does not constrain resource matching, and only the policy's matchConstraints
+	// and matchConditions must match for the resource to be mutated.
+	// Additionally, matchResources.resourceRules are optional and do not constraint matching when unset.
+	// Note that this is differs from MutatingAdmissionPolicy matchConstraints, where resourceRules are required.
+	// The CREATE, UPDATE and CONNECT operations are allowed.  The DELETE operation may not be matched.
+	// '*' matches CREATE, UPDATE and CONNECT.
 	MatchResources *MatchResourcesApplyConfiguration `json:"matchResources,omitempty"`
 }
 

applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicyspec.go

@@ -25,14 +25,74 @@ import (
 
 // MutatingAdmissionPolicySpecApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicySpec type for use
 // with apply.
+//
+// MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy.
 type MutatingAdmissionPolicySpecApplyConfiguration struct {
-	ParamKind          *ParamKindApplyConfiguration                    `json:"paramKind,omitempty"`
-	MatchConstraints   *MatchResourcesApplyConfiguration               `json:"matchConstraints,omitempty"`
-	Variables          []VariableApplyConfiguration                    `json:"variables,omitempty"`
-	Mutations          []MutationApplyConfiguration                    `json:"mutations,omitempty"`
-	FailurePolicy      *admissionregistrationv1beta1.FailurePolicyType `json:"failurePolicy,omitempty"`
-	MatchConditions    []MatchConditionApplyConfiguration              `json:"matchConditions,omitempty"`
-	ReinvocationPolicy *v1.ReinvocationPolicyType                      `json:"reinvocationPolicy,omitempty"`
+	// paramKind specifies the kind of resources used to parameterize this policy.
+	// If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
+	// If paramKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
+	// If paramKind is specified but paramRef is unset in MutatingAdmissionPolicyBinding, the params variable will be null.
+	ParamKind *ParamKindApplyConfiguration `json:"paramKind,omitempty"`
+	// matchConstraints specifies what resources this policy is designed to validate.
+	// The MutatingAdmissionPolicy cares about a request if it matches _all_ Constraints.
+	// However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
+	// MutatingAdmissionPolicy cannot match MutatingAdmissionPolicy and MutatingAdmissionPolicyBinding.
+	// The CREATE, UPDATE and CONNECT operations are allowed.  The DELETE operation may not be matched.
+	// '*' matches CREATE, UPDATE and CONNECT.
+	// Required.
+	MatchConstraints *MatchResourcesApplyConfiguration `json:"matchConstraints,omitempty"`
+	// variables contain definitions of variables that can be used in composition of other expressions.
+	// Each variable is defined as a named CEL expression.
+	// The variables defined here will be available under `variables` in other expressions of the policy
+	// except matchConditions because matchConditions are evaluated before the rest of the policy.
+	//
+	// The expression of a variable can refer to other variables defined earlier in the list but not those after.
+	// Thus, variables must be sorted by the order of first appearance and acyclic.
+	Variables []VariableApplyConfiguration `json:"variables,omitempty"`
+	// mutations contain operations to perform on matching objects.
+	// mutations may not be empty; a minimum of one mutation is required.
+	// mutations are evaluated in order, and are reinvoked according to
+	// the reinvocationPolicy.
+	// The mutations of a policy are invoked for each binding of this policy
+	// and reinvocation of mutations occurs on a per binding basis.
+	Mutations []MutationApplyConfiguration `json:"mutations,omitempty"`
+	// failurePolicy defines how to handle failures for the admission policy. Failures can
+	// occur from CEL expression parse errors, type check errors, runtime errors and invalid
+	// or mis-configured policy definitions or bindings.
+	//
+	// A policy is invalid if paramKind refers to a non-existent Kind.
+	// A binding is invalid if paramRef.name refers to a non-existent resource.
+	//
+	// failurePolicy does not define how validations that evaluate to false are handled.
+	//
+	// Allowed values are Ignore or Fail. Defaults to Fail.
+	FailurePolicy *admissionregistrationv1beta1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// matchConditions is a list of conditions that must be met for a request to be validated.
+	// Match conditions filter requests that have already been matched by the matchConstraints.
+	// An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// If a parameter object is provided, it can be accessed via the `params` handle in the same
+	// manner as validation expressions.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the policy is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
+	// reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding
+	// as part of a single admission evaluation.
+	// Allowed values are "Never" and "IfNeeded".
+	//
+	// Never: These mutations will not be called more than once per binding in a single admission evaluation.
+	//
+	// IfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of
+	// order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies.  Mutations are only
+	// reinvoked when mutations change the object after this mutation is invoked.
+	// Required.
+	ReinvocationPolicy *v1.ReinvocationPolicyType `json:"reinvocationPolicy,omitempty"`
 }
 
 // MutatingAdmissionPolicySpecApplyConfiguration constructs a declarative configuration of the MutatingAdmissionPolicySpec type for use with

applyconfigurations/admissionregistration/v1beta1/mutatingwebhook.go

@@ -27,19 +27,149 @@ import (
 
 // MutatingWebhookApplyConfiguration represents a declarative configuration of the MutatingWebhook type for use
 // with apply.
+//
+// MutatingWebhook describes an admission webhook and the resources and operations it applies to.
 type MutatingWebhookApplyConfiguration struct {
-	Name                    *string                                         `json:"name,omitempty"`
-	ClientConfig            *WebhookClientConfigApplyConfiguration          `json:"clientConfig,omitempty"`
-	Rules                   []v1.RuleWithOperationsApplyConfiguration       `json:"rules,omitempty"`
-	FailurePolicy           *admissionregistrationv1beta1.FailurePolicyType `json:"failurePolicy,omitempty"`
-	MatchPolicy             *admissionregistrationv1beta1.MatchPolicyType   `json:"matchPolicy,omitempty"`
-	NamespaceSelector       *metav1.LabelSelectorApplyConfiguration         `json:"namespaceSelector,omitempty"`
-	ObjectSelector          *metav1.LabelSelectorApplyConfiguration         `json:"objectSelector,omitempty"`
-	SideEffects             *admissionregistrationv1beta1.SideEffectClass   `json:"sideEffects,omitempty"`
-	TimeoutSeconds          *int32                                          `json:"timeoutSeconds,omitempty"`
-	AdmissionReviewVersions []string                                        `json:"admissionReviewVersions,omitempty"`
-	ReinvocationPolicy      *admissionregistrationv1.ReinvocationPolicyType `json:"reinvocationPolicy,omitempty"`
-	MatchConditions         []MatchConditionApplyConfiguration              `json:"matchConditions,omitempty"`
+	// name is the name of the admission webhook.
+	// Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
+	// "imagepolicy" is the name of the webhook, and kubernetes.io is the name
+	// of the organization.
+	// Required.
+	Name *string `json:"name,omitempty"`
+	// clientConfig defines how to communicate with the hook.
+	// Required
+	ClientConfig *WebhookClientConfigApplyConfiguration `json:"clientConfig,omitempty"`
+	// rules describes what operations on what resources/subresources the webhook cares about.
+	// The webhook cares about an operation if it matches _any_ Rule.
+	// However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
+	// from putting the cluster in a state which cannot be recovered from without completely
+	// disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
+	// on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
+	Rules []v1.RuleWithOperationsApplyConfiguration `json:"rules,omitempty"`
+	// failurePolicy defines how unrecognized errors from the admission endpoint are handled -
+	// allowed values are Ignore or Fail. Defaults to Ignore.
+	FailurePolicy *admissionregistrationv1beta1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// matchPolicy defines how the "rules" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
+	//
+	// Defaults to "Exact"
+	MatchPolicy *admissionregistrationv1beta1.MatchPolicyType `json:"matchPolicy,omitempty"`
+	// namespaceSelector decides whether to run the webhook on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the webhook.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "runlevel",
+	// "operator": "NotIn",
+	// "values": [
+	// "0",
+	// "1"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// If instead you want to only run the webhook on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "environment",
+	// "operator": "In",
+	// "values": [
+	// "prod",
+	// "staging"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	NamespaceSelector *metav1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
+	// objectSelector decides whether to run the webhook based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the webhook, and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	ObjectSelector *metav1.LabelSelectorApplyConfiguration `json:"objectSelector,omitempty"`
+	// sideEffects states whether this webhook has side effects.
+	// Acceptable values are: Unknown, None, Some, NoneOnDryRun
+	// Webhooks with side effects MUST implement a reconciliation system, since a request may be
+	// rejected by a future step in the admission chain and the side effects therefore need to be undone.
+	// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
+	// sideEffects == Unknown or Some. Defaults to Unknown.
+	SideEffects *admissionregistrationv1beta1.SideEffectClass `json:"sideEffects,omitempty"`
+	// timeoutSeconds specifies the timeout for this webhook. After the timeout passes,
+	// the webhook call will be ignored or the API call will fail based on the
+	// failure policy.
+	// The timeout value must be between 1 and 30 seconds.
+	// Default to 30 seconds.
+	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
+	// admissionReviewVersions is an ordered list of preferred `AdmissionReview`
+	// versions the Webhook expects. API server will try to use first version in
+	// the list which it supports. If none of the versions specified in this list
+	// supported by API server, validation will fail for this object.
+	// If a persisted webhook configuration specifies allowed versions and does not
+	// include any versions known to the API Server, calls to the webhook will fail
+	// and be subject to the failure policy.
+	// Default to `['v1beta1']`.
+	AdmissionReviewVersions []string `json:"admissionReviewVersions,omitempty"`
+	// reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation.
+	// Allowed values are "Never" and "IfNeeded".
+	//
+	// Never: the webhook will not be called more than once in a single admission evaluation.
+	//
+	// IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation
+	// if the object being admitted is modified by other admission plugins after the initial webhook call.
+	// Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted.
+	// Note:
+	// * the number of additional invocations is not guaranteed to be exactly one.
+	// * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again.
+	// * webhooks that use this option may be reordered to minimize the number of additional invocations.
+	// * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
+	//
+	// Defaults to "Never".
+	ReinvocationPolicy *admissionregistrationv1.ReinvocationPolicyType `json:"reinvocationPolicy,omitempty"`
+	// matchConditions is a list of conditions that must be met for a request to be sent to this
+	// webhook. Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the webhook is called.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
 }
 
 // MutatingWebhookApplyConfiguration constructs a declarative configuration of the MutatingWebhook type for use with

applyconfigurations/admissionregistration/v1beta1/mutatingwebhookconfiguration.go

@@ -29,10 +29,15 @@ import (
 
 // MutatingWebhookConfigurationApplyConfiguration represents a declarative configuration of the MutatingWebhookConfiguration type for use
 // with apply.
+//
+// MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object.
+// Deprecated in v1.16, planned for removal in v1.19. Use admissionregistration.k8s.io/v1 MutatingWebhookConfiguration instead.
 type MutatingWebhookConfigurationApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:""`
+	// metadata is the standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Webhooks                         []MutatingWebhookApplyConfiguration `json:"webhooks,omitempty"`
+	// webhooks is a list of webhooks and the affected resources and operations.
+	Webhooks []MutatingWebhookApplyConfiguration `json:"webhooks,omitempty"`
 }
 
 // MutatingWebhookConfiguration constructs a declarative configuration of the MutatingWebhookConfiguration type for use with
@@ -45,29 +50,14 @@ func MutatingWebhookConfiguration(name string) *MutatingWebhookConfigurationAppl
 	return b
 }
 
-// ExtractMutatingWebhookConfiguration extracts the applied configuration owned by fieldManager from
-// mutatingWebhookConfiguration. If no managedFields are found in mutatingWebhookConfiguration for fieldManager, a
-// MutatingWebhookConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractMutatingWebhookConfigurationFrom extracts the applied configuration owned by fieldManager from
+// mutatingWebhookConfiguration for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // mutatingWebhookConfiguration must be a unmodified MutatingWebhookConfiguration API object that was retrieved from the Kubernetes API.
-// ExtractMutatingWebhookConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractMutatingWebhookConfigurationFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractMutatingWebhookConfiguration(mutatingWebhookConfiguration *admissionregistrationv1beta1.MutatingWebhookConfiguration, fieldManager string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
-	return extractMutatingWebhookConfiguration(mutatingWebhookConfiguration, fieldManager, "")
-}
-
-// ExtractMutatingWebhookConfigurationStatus is the same as ExtractMutatingWebhookConfiguration except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractMutatingWebhookConfigurationStatus(mutatingWebhookConfiguration *admissionregistrationv1beta1.MutatingWebhookConfiguration, fieldManager string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
-	return extractMutatingWebhookConfiguration(mutatingWebhookConfiguration, fieldManager, "status")
-}
-
-func extractMutatingWebhookConfiguration(mutatingWebhookConfiguration *admissionregistrationv1beta1.MutatingWebhookConfiguration, fieldManager string, subresource string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
+func ExtractMutatingWebhookConfigurationFrom(mutatingWebhookConfiguration *admissionregistrationv1beta1.MutatingWebhookConfiguration, fieldManager string, subresource string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
 	b := &MutatingWebhookConfigurationApplyConfiguration{}
 	err := managedfields.ExtractInto(mutatingWebhookConfiguration, internal.Parser().Type("io.k8s.api.admissionregistration.v1beta1.MutatingWebhookConfiguration"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +69,21 @@ func extractMutatingWebhookConfiguration(mutatingWebhookConfiguration *admission
 	b.WithAPIVersion("admissionregistration.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractMutatingWebhookConfiguration extracts the applied configuration owned by fieldManager from
+// mutatingWebhookConfiguration. If no managedFields are found in mutatingWebhookConfiguration for fieldManager, a
+// MutatingWebhookConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// mutatingWebhookConfiguration must be a unmodified MutatingWebhookConfiguration API object that was retrieved from the Kubernetes API.
+// ExtractMutatingWebhookConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractMutatingWebhookConfiguration(mutatingWebhookConfiguration *admissionregistrationv1beta1.MutatingWebhookConfiguration, fieldManager string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
+	return ExtractMutatingWebhookConfigurationFrom(mutatingWebhookConfiguration, fieldManager, "")
+}
+
 func (b MutatingWebhookConfigurationApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value

applyconfigurations/admissionregistration/v1beta1/mutation.go

@@ -24,10 +24,21 @@ import (
 
 // MutationApplyConfiguration represents a declarative configuration of the Mutation type for use
 // with apply.
+//
+// Mutation specifies the CEL expression which is used to apply the Mutation.
 type MutationApplyConfiguration struct {
-	PatchType          *admissionregistrationv1beta1.PatchType `json:"patchType,omitempty"`
-	ApplyConfiguration *ApplyConfigurationApplyConfiguration   `json:"applyConfiguration,omitempty"`
-	JSONPatch          *JSONPatchApplyConfiguration            `json:"jsonPatch,omitempty"`
+	// patchType indicates the patch strategy used.
+	// Allowed values are "ApplyConfiguration" and "JSONPatch".
+	// Required.
+	PatchType *admissionregistrationv1beta1.PatchType `json:"patchType,omitempty"`
+	// applyConfiguration defines the desired configuration values of an object.
+	// The configuration is applied to the admission object using
+	// [structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff).
+	// A CEL expression is used to create apply configuration.
+	ApplyConfiguration *ApplyConfigurationApplyConfiguration `json:"applyConfiguration,omitempty"`
+	// jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object.
+	// A CEL expression is used to create the JSON patch.
+	JSONPatch *JSONPatchApplyConfiguration `json:"jsonPatch,omitempty"`
 }
 
 // MutationApplyConfiguration constructs a declarative configuration of the Mutation type for use with

applyconfigurations/admissionregistration/v1beta1/namedrulewithoperations.go

@@ -25,9 +25,13 @@ import (
 
 // NamedRuleWithOperationsApplyConfiguration represents a declarative configuration of the NamedRuleWithOperations type for use
 // with apply.
+//
+// NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.
 type NamedRuleWithOperationsApplyConfiguration struct {
-	ResourceNames                           []string `json:"resourceNames,omitempty"`
-	v1.RuleWithOperationsApplyConfiguration `json:",inline"`
+	// resourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+	ResourceNames []string `json:"resourceNames,omitempty"`
+	// RuleWithOperations is a tuple of Operations and Resources.
+	v1.RuleWithOperationsApplyConfiguration `json:""`
 }
 
 // NamedRuleWithOperationsApplyConfiguration constructs a declarative configuration of the NamedRuleWithOperations type for use with

applyconfigurations/admissionregistration/v1beta1/paramkind.go

@@ -20,9 +20,16 @@ package v1beta1
 
 // ParamKindApplyConfiguration represents a declarative configuration of the ParamKind type for use
 // with apply.
+//
+// ParamKind is a tuple of Group Kind and Version.
 type ParamKindApplyConfiguration struct {
+	// apiVersion is the API group version the resources belong to.
+	// In format of "group/version".
+	// Required.
 	APIVersion *string `json:"apiVersion,omitempty"`
-	Kind       *string `json:"kind,omitempty"`
+	// kind is the API kind the resources belong to.
+	// Required.
+	Kind *string `json:"kind,omitempty"`
 }
 
 // ParamKindApplyConfiguration constructs a declarative configuration of the ParamKind type for use with

applyconfigurations/admissionregistration/v1beta1/paramref.go

@@ -25,10 +25,53 @@ import (
 
 // ParamRefApplyConfiguration represents a declarative configuration of the ParamRef type for use
 // with apply.
+//
+// ParamRef describes how to locate the params to be used as input to
+// expressions of rules applied by a policy binding.
 type ParamRefApplyConfiguration struct {
-	Name                    *string                                                   `json:"name,omitempty"`
-	Namespace               *string                                                   `json:"namespace,omitempty"`
-	Selector                *v1.LabelSelectorApplyConfiguration                       `json:"selector,omitempty"`
+	// name is the name of the resource being referenced.
+	//
+	// One of `name` or `selector` must be set, but `name` and `selector` are
+	// mutually exclusive properties. If one is set, the other must be unset.
+	//
+	// A single parameter used for all admission requests can be configured
+	// by setting the `name` field, leaving `selector` blank, and setting namespace
+	// if `paramKind` is namespace-scoped.
+	Name *string `json:"name,omitempty"`
+	// namespace is the namespace of the referenced resource. Allows limiting
+	// the search for params to a specific namespace. Applies to both `name` and
+	// `selector` fields.
+	//
+	// A per-namespace parameter may be used by specifying a namespace-scoped
+	// `paramKind` in the policy and leaving this field empty.
+	//
+	// - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+	// field results in a configuration error.
+	//
+	// - If `paramKind` is namespace-scoped, the namespace of the object being
+	// evaluated for admission will be used when this field is left unset. Take
+	// care that if this is left empty the binding must not match any cluster-scoped
+	// resources, which will result in an error.
+	Namespace *string `json:"namespace,omitempty"`
+	// selector can be used to match multiple param objects based on their labels.
+	// Supply selector: {} to match all resources of the ParamKind.
+	//
+	// If multiple params are found, they are all evaluated with the policy expressions
+	// and the results are ANDed together.
+	//
+	// One of `name` or `selector` must be set, but `name` and `selector` are
+	// mutually exclusive properties. If one is set, the other must be unset.
+	Selector *v1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// parameterNotFoundAction controls the behavior of the binding when the resource
+	// exists, and name or selector is valid, but there are no parameters
+	// matched by the binding. If the value is set to `Allow`, then no
+	// matched parameters will be treated as successful validation by the binding.
+	// If set to `Deny`, then no matched parameters will be subject to the
+	// `failurePolicy` of the policy.
+	//
+	// Allowed values are `Allow` or `Deny`
+	//
+	// Required
 	ParameterNotFoundAction *admissionregistrationv1beta1.ParameterNotFoundActionType `json:"parameterNotFoundAction,omitempty"`
 }
 

applyconfigurations/admissionregistration/v1beta1/servicereference.go

@@ -20,11 +20,22 @@ package v1beta1
 
 // ServiceReferenceApplyConfiguration represents a declarative configuration of the ServiceReference type for use
 // with apply.
+//
+// ServiceReference holds a reference to Service.legacy.k8s.io
 type ServiceReferenceApplyConfiguration struct {
+	// namespace is the namespace of the service.
+	// Required
 	Namespace *string `json:"namespace,omitempty"`
-	Name      *string `json:"name,omitempty"`
-	Path      *string `json:"path,omitempty"`
-	Port      *int32  `json:"port,omitempty"`
+	// name is the name of the service.
+	// Required
+	Name *string `json:"name,omitempty"`
+	// path is an optional URL path which will be sent in any request to
+	// this service.
+	Path *string `json:"path,omitempty"`
+	// port is the port on the service that hosts the webhook.
+	// Default to 443 for backward compatibility.
+	// port should be a valid port number (1-65535, inclusive).
+	Port *int32 `json:"port,omitempty"`
 }
 
 // ServiceReferenceApplyConfiguration constructs a declarative configuration of the ServiceReference type for use with

applyconfigurations/admissionregistration/v1beta1/typechecking.go

@@ -20,7 +20,11 @@ package v1beta1
 
 // TypeCheckingApplyConfiguration represents a declarative configuration of the TypeChecking type for use
 // with apply.
+//
+// TypeChecking contains results of type checking the expressions in the
+// ValidatingAdmissionPolicy
 type TypeCheckingApplyConfiguration struct {
+	// expressionWarnings contains the type checking warnings for each expression.
 	ExpressionWarnings []ExpressionWarningApplyConfiguration `json:"expressionWarnings,omitempty"`
 }
 

applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicy.go

@@ -29,11 +29,19 @@ import (
 
 // ValidatingAdmissionPolicyApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicy type for use
 // with apply.
+//
+// ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.
 type ValidatingAdmissionPolicyApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:""`
+	// metadata is the standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ValidatingAdmissionPolicySpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *ValidatingAdmissionPolicyStatusApplyConfiguration `json:"status,omitempty"`
+	// spec defines the desired behavior of the ValidatingAdmissionPolicy.
+	Spec *ValidatingAdmissionPolicySpecApplyConfiguration `json:"spec,omitempty"`
+	// status represents the current status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy
+	// behaves in the expected way.
+	// Populated by the system.
+	// Read-only.
+	Status *ValidatingAdmissionPolicyStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ValidatingAdmissionPolicy constructs a declarative configuration of the ValidatingAdmissionPolicy type for use with
@@ -46,29 +54,14 @@ func ValidatingAdmissionPolicy(name string) *ValidatingAdmissionPolicyApplyConfi
 	return b
 }
 
-// ExtractValidatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
-// validatingAdmissionPolicy. If no managedFields are found in validatingAdmissionPolicy for fieldManager, a
-// ValidatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractValidatingAdmissionPolicyFrom extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicy for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // validatingAdmissionPolicy must be a unmodified ValidatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
-// ExtractValidatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractValidatingAdmissionPolicyFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregistrationv1beta1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicy(validatingAdmissionPolicy, fieldManager, "")
-}
-
-// ExtractValidatingAdmissionPolicyStatus is the same as ExtractValidatingAdmissionPolicy except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractValidatingAdmissionPolicyStatus(validatingAdmissionPolicy *admissionregistrationv1beta1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicy(validatingAdmissionPolicy, fieldManager, "status")
-}
-
-func extractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregistrationv1beta1.ValidatingAdmissionPolicy, fieldManager string, subresource string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
+func ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy *admissionregistrationv1beta1.ValidatingAdmissionPolicy, fieldManager string, subresource string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
 	b := &ValidatingAdmissionPolicyApplyConfiguration{}
 	err := managedfields.ExtractInto(validatingAdmissionPolicy, internal.Parser().Type("io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicy"), fieldManager, b, subresource)
 	if err != nil {
@@ -80,6 +73,27 @@ func extractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregist
 	b.WithAPIVersion("admissionregistration.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractValidatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicy. If no managedFields are found in validatingAdmissionPolicy for fieldManager, a
+// ValidatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// validatingAdmissionPolicy must be a unmodified ValidatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
+// ExtractValidatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregistrationv1beta1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
+	return ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy, fieldManager, "")
+}
+
+// ExtractValidatingAdmissionPolicyStatus extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicy for the status subresource.
+func ExtractValidatingAdmissionPolicyStatus(validatingAdmissionPolicy *admissionregistrationv1beta1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
+	return ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy, fieldManager, "status")
+}
+
 func (b ValidatingAdmissionPolicyApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value

applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicybinding.go

@@ -29,10 +29,24 @@ import (
 
 // ValidatingAdmissionPolicyBindingApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyBinding type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources.
+// ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.
+//
+// For a given admission request, each binding will cause its policy to be
+// evaluated N times, where N is 1 for policies/bindings that don't use
+// params, otherwise N is the number of parameters selected by the binding.
+//
+// The CEL expressions of a policy must have a computed CEL cost below the maximum
+// CEL budget. Each evaluation of the policy is given an independent CEL cost budget.
+// Adding/removing policies, bindings, or params can not affect whether a
+// given (policy, binding, param) combination is within its own CEL budget.
 type ValidatingAdmissionPolicyBindingApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:""`
+	// metadata is the standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ValidatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
+	// spec defines the desired behavior of the ValidatingAdmissionPolicyBinding.
+	Spec *ValidatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // ValidatingAdmissionPolicyBinding constructs a declarative configuration of the ValidatingAdmissionPolicyBinding type for use with
@@ -45,29 +59,14 @@ func ValidatingAdmissionPolicyBinding(name string) *ValidatingAdmissionPolicyBin
 	return b
 }
 
-// ExtractValidatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
-// validatingAdmissionPolicyBinding. If no managedFields are found in validatingAdmissionPolicyBinding for fieldManager, a
-// ValidatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractValidatingAdmissionPolicyBindingFrom extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicyBinding for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // validatingAdmissionPolicyBinding must be a unmodified ValidatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
-// ExtractValidatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractValidatingAdmissionPolicyBindingFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding, fieldManager, "")
-}
-
-// ExtractValidatingAdmissionPolicyBindingStatus is the same as ExtractValidatingAdmissionPolicyBinding except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractValidatingAdmissionPolicyBindingStatus(validatingAdmissionPolicyBinding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding, fieldManager, "status")
-}
-
-func extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, fieldManager string, subresource string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
+func ExtractValidatingAdmissionPolicyBindingFrom(validatingAdmissionPolicyBinding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, fieldManager string, subresource string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
 	b := &ValidatingAdmissionPolicyBindingApplyConfiguration{}
 	err := managedfields.ExtractInto(validatingAdmissionPolicyBinding, internal.Parser().Type("io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBinding"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +78,21 @@ func extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *a
 	b.WithAPIVersion("admissionregistration.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractValidatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicyBinding. If no managedFields are found in validatingAdmissionPolicyBinding for fieldManager, a
+// ValidatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// validatingAdmissionPolicyBinding must be a unmodified ValidatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
+// ExtractValidatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
+	return ExtractValidatingAdmissionPolicyBindingFrom(validatingAdmissionPolicyBinding, fieldManager, "")
+}
+
 func (b ValidatingAdmissionPolicyBindingApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value

applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicybindingspec.go

@@ -24,10 +24,63 @@ import (
 
 // ValidatingAdmissionPolicyBindingSpecApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyBindingSpec type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.
 type ValidatingAdmissionPolicyBindingSpecApplyConfiguration struct {
-	PolicyName        *string                                         `json:"policyName,omitempty"`
-	ParamRef          *ParamRefApplyConfiguration                     `json:"paramRef,omitempty"`
-	MatchResources    *MatchResourcesApplyConfiguration               `json:"matchResources,omitempty"`
+	// policyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to.
+	// If the referenced resource does not exist, this binding is considered invalid and will be ignored
+	// Required.
+	PolicyName *string `json:"policyName,omitempty"`
+	// paramRef specifies the parameter resource used to configure the admission control policy.
+	// It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy.
+	// If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied.
+	// If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.
+	ParamRef *ParamRefApplyConfiguration `json:"paramRef,omitempty"`
+	// matchResources declares what resources match this binding and will be validated by it.
+	// Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this.
+	// If this is unset, all resources matched by the policy are validated by this binding
+	// When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated.
+	// Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required.
+	MatchResources *MatchResourcesApplyConfiguration `json:"matchResources,omitempty"`
+	// validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced.
+	// If a validation evaluates to false it is always enforced according to these actions.
+	//
+	// Failures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according
+	// to these actions only if the FailurePolicy is set to Fail, otherwise the failures are
+	// ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.
+	//
+	// validationActions is declared as a set of action values. Order does
+	// not matter. validationActions may not contain duplicates of the same action.
+	//
+	// The supported actions values are:
+	//
+	// "Deny" specifies that a validation failure results in a denied request.
+	//
+	// "Warn" specifies that a validation failure is reported to the request client
+	// in HTTP Warning headers, with a warning code of 299. Warnings can be sent
+	// both for allowed or denied admission responses.
+	//
+	// "Audit" specifies that a validation failure is included in the published
+	// audit event for the request. The audit event will contain a
+	// `validation.policy.admission.k8s.io/validation_failure` audit annotation
+	// with a value containing the details of the validation failures, formatted as
+	// a JSON list of objects, each with the following fields:
+	// - message: The validation failure message string
+	// - policy: The resource name of the ValidatingAdmissionPolicy
+	// - binding: The resource name of the ValidatingAdmissionPolicyBinding
+	// - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy
+	// - validationActions: The enforcement actions enacted for the validation failure
+	// Example audit annotation:
+	// `"validation.policy.admission.k8s.io/validation_failure": "[{\"message\": \"Invalid value\", {\"policy\": \"policy.example.com\", {\"binding\": \"policybinding.example.com\", {\"expressionIndex\": \"1\", {\"validationActions\": [\"Audit\"]}]"`
+	//
+	// Clients should expect to handle additional values by ignoring
+	// any values not recognized.
+	//
+	// "Deny" and "Warn" may not be used together since this combination
+	// needlessly duplicates the validation failure both in the
+	// API response body and the HTTP warning headers.
+	//
+	// Required.
 	ValidationActions []admissionregistrationv1beta1.ValidationAction `json:"validationActions,omitempty"`
 }
 

applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicyspec.go

@@ -24,14 +24,66 @@ import (
 
 // ValidatingAdmissionPolicySpecApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicySpec type for use
 // with apply.
+//
+// ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.
 type ValidatingAdmissionPolicySpecApplyConfiguration struct {
-	ParamKind        *ParamKindApplyConfiguration                    `json:"paramKind,omitempty"`
-	MatchConstraints *MatchResourcesApplyConfiguration               `json:"matchConstraints,omitempty"`
-	Validations      []ValidationApplyConfiguration                  `json:"validations,omitempty"`
-	FailurePolicy    *admissionregistrationv1beta1.FailurePolicyType `json:"failurePolicy,omitempty"`
-	AuditAnnotations []AuditAnnotationApplyConfiguration             `json:"auditAnnotations,omitempty"`
-	MatchConditions  []MatchConditionApplyConfiguration              `json:"matchConditions,omitempty"`
-	Variables        []VariableApplyConfiguration                    `json:"variables,omitempty"`
+	// paramKind specifies the kind of resources used to parameterize this policy.
+	// If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
+	// If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
+	// If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.
+	ParamKind *ParamKindApplyConfiguration `json:"paramKind,omitempty"`
+	// matchConstraints specifies what resources this policy is designed to validate.
+	// The AdmissionPolicy cares about a request if it matches _all_ Constraints.
+	// However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
+	// ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding.
+	// Required.
+	MatchConstraints *MatchResourcesApplyConfiguration `json:"matchConstraints,omitempty"`
+	// validations contain CEL expressions which is used to apply the validation.
+	// Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is
+	// required.
+	Validations []ValidationApplyConfiguration `json:"validations,omitempty"`
+	// failurePolicy defines how to handle failures for the admission policy. Failures can
+	// occur from CEL expression parse errors, type check errors, runtime errors and invalid
+	// or mis-configured policy definitions or bindings.
+	//
+	// A policy is invalid if spec.paramKind refers to a non-existent Kind.
+	// A binding is invalid if spec.paramRef.name refers to a non-existent resource.
+	//
+	// failurePolicy does not define how validations that evaluate to false are handled.
+	//
+	// When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions
+	// define how failures are enforced.
+	//
+	// Allowed values are Ignore or Fail. Defaults to Fail.
+	FailurePolicy *admissionregistrationv1beta1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// auditAnnotations contains CEL expressions which are used to produce audit
+	// annotations for the audit event of the API request.
+	// validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is
+	// required.
+	AuditAnnotations []AuditAnnotationApplyConfiguration `json:"auditAnnotations,omitempty"`
+	// matchConditions is a list of conditions that must be met for a request to be validated.
+	// Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// If a parameter object is provided, it can be accessed via the `params` handle in the same
+	// manner as validation expressions.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the policy is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
+	// variables contain definitions of variables that can be used in composition of other expressions.
+	// Each variable is defined as a named CEL expression.
+	// The variables defined here will be available under `variables` in other expressions of the policy
+	// except MatchConditions because MatchConditions are evaluated before the rest of the policy.
+	//
+	// The expression of a variable can refer to other variables defined earlier in the list but not those after.
+	// Thus, Variables must be sorted by the order of first appearance and acyclic.
+	Variables []VariableApplyConfiguration `json:"variables,omitempty"`
 }
 
 // ValidatingAdmissionPolicySpecApplyConfiguration constructs a declarative configuration of the ValidatingAdmissionPolicySpec type for use with

applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicystatus.go

@@ -24,10 +24,16 @@ import (
 
 // ValidatingAdmissionPolicyStatusApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyStatus type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyStatus represents the status of an admission validation policy.
 type ValidatingAdmissionPolicyStatusApplyConfiguration struct {
-	ObservedGeneration *int64                           `json:"observedGeneration,omitempty"`
-	TypeChecking       *TypeCheckingApplyConfiguration  `json:"typeChecking,omitempty"`
-	Conditions         []v1.ConditionApplyConfiguration `json:"conditions,omitempty"`
+	// observedGeneration is the generation observed by the controller.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// typeChecking contains the results of type checking for each expression.
+	// Presence of this field indicates the completion of the type checking.
+	TypeChecking *TypeCheckingApplyConfiguration `json:"typeChecking,omitempty"`
+	// conditions represent the latest available observations of a policy's current state.
+	Conditions []v1.ConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // ValidatingAdmissionPolicyStatusApplyConfiguration constructs a declarative configuration of the ValidatingAdmissionPolicyStatus type for use with

applyconfigurations/admissionregistration/v1beta1/validatingwebhook.go

@@ -26,18 +26,133 @@ import (
 
 // ValidatingWebhookApplyConfiguration represents a declarative configuration of the ValidatingWebhook type for use
 // with apply.
+//
+// ValidatingWebhook describes an admission webhook and the resources and operations it applies to.
 type ValidatingWebhookApplyConfiguration struct {
-	Name                    *string                                         `json:"name,omitempty"`
-	ClientConfig            *WebhookClientConfigApplyConfiguration          `json:"clientConfig,omitempty"`
-	Rules                   []v1.RuleWithOperationsApplyConfiguration       `json:"rules,omitempty"`
-	FailurePolicy           *admissionregistrationv1beta1.FailurePolicyType `json:"failurePolicy,omitempty"`
-	MatchPolicy             *admissionregistrationv1beta1.MatchPolicyType   `json:"matchPolicy,omitempty"`
-	NamespaceSelector       *metav1.LabelSelectorApplyConfiguration         `json:"namespaceSelector,omitempty"`
-	ObjectSelector          *metav1.LabelSelectorApplyConfiguration         `json:"objectSelector,omitempty"`
-	SideEffects             *admissionregistrationv1beta1.SideEffectClass   `json:"sideEffects,omitempty"`
-	TimeoutSeconds          *int32                                          `json:"timeoutSeconds,omitempty"`
-	AdmissionReviewVersions []string                                        `json:"admissionReviewVersions,omitempty"`
-	MatchConditions         []MatchConditionApplyConfiguration              `json:"matchConditions,omitempty"`
+	// name is the name of the admission webhook.
+	// Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
+	// "imagepolicy" is the name of the webhook, and kubernetes.io is the name
+	// of the organization.
+	// Required.
+	Name *string `json:"name,omitempty"`
+	// clientConfig defines how to communicate with the hook.
+	// Required
+	ClientConfig *WebhookClientConfigApplyConfiguration `json:"clientConfig,omitempty"`
+	// rules describes what operations on what resources/subresources the webhook cares about.
+	// The webhook cares about an operation if it matches _any_ Rule.
+	// However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
+	// from putting the cluster in a state which cannot be recovered from without completely
+	// disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
+	// on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
+	Rules []v1.RuleWithOperationsApplyConfiguration `json:"rules,omitempty"`
+	// failurePolicy defines how unrecognized errors from the admission endpoint are handled -
+	// allowed values are Ignore or Fail. Defaults to Ignore.
+	FailurePolicy *admissionregistrationv1beta1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// matchPolicy defines how the "rules" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
+	//
+	// Defaults to "Exact"
+	MatchPolicy *admissionregistrationv1beta1.MatchPolicyType `json:"matchPolicy,omitempty"`
+	// namespaceSelector decides whether to run the webhook on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the webhook.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "runlevel",
+	// "operator": "NotIn",
+	// "values": [
+	// "0",
+	// "1"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// If instead you want to only run the webhook on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "environment",
+	// "operator": "In",
+	// "values": [
+	// "prod",
+	// "staging"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	NamespaceSelector *metav1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
+	// objectSelector decides whether to run the webhook based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the webhook, and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	ObjectSelector *metav1.LabelSelectorApplyConfiguration `json:"objectSelector,omitempty"`
+	// sideEffects states whether this webhook has side effects.
+	// Acceptable values are: Unknown, None, Some, NoneOnDryRun
+	// Webhooks with side effects MUST implement a reconciliation system, since a request may be
+	// rejected by a future step in the admission chain and the side effects therefore need to be undone.
+	// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
+	// sideEffects == Unknown or Some. Defaults to Unknown.
+	SideEffects *admissionregistrationv1beta1.SideEffectClass `json:"sideEffects,omitempty"`
+	// timeoutSeconds specifies the timeout for this webhook. After the timeout passes,
+	// the webhook call will be ignored or the API call will fail based on the
+	// failure policy.
+	// The timeout value must be between 1 and 30 seconds.
+	// Default to 30 seconds.
+	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
+	// admissionReviewVersions is an ordered list of preferred `AdmissionReview`
+	// versions the Webhook expects. API server will try to use first version in
+	// the list which it supports. If none of the versions specified in this list
+	// supported by API server, validation will fail for this object.
+	// If a persisted webhook configuration specifies allowed versions and does not
+	// include any versions known to the API Server, calls to the webhook will fail
+	// and be subject to the failure policy.
+	// Default to `['v1beta1']`.
+	AdmissionReviewVersions []string `json:"admissionReviewVersions,omitempty"`
+	// matchConditions is a list of conditions that must be met for a request to be sent to this
+	// webhook. Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the webhook is called.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
 }
 
 // ValidatingWebhookApplyConfiguration constructs a declarative configuration of the ValidatingWebhook type for use with

applyconfigurations/admissionregistration/v1beta1/validatingwebhookconfiguration.go

@@ -29,10 +29,15 @@ import (
 
 // ValidatingWebhookConfigurationApplyConfiguration represents a declarative configuration of the ValidatingWebhookConfiguration type for use
 // with apply.
+//
+// ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it.
+// Deprecated in v1.16, planned for removal in v1.19. Use admissionregistration.k8s.io/v1 ValidatingWebhookConfiguration instead.
 type ValidatingWebhookConfigurationApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:""`
+	// metadata is the standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Webhooks                         []ValidatingWebhookApplyConfiguration `json:"webhooks,omitempty"`
+	// webhooks is a list of webhooks and the affected resources and operations.
+	Webhooks []ValidatingWebhookApplyConfiguration `json:"webhooks,omitempty"`
 }
 
 // ValidatingWebhookConfiguration constructs a declarative configuration of the ValidatingWebhookConfiguration type for use with
@@ -45,29 +50,14 @@ func ValidatingWebhookConfiguration(name string) *ValidatingWebhookConfiguration
 	return b
 }
 
-// ExtractValidatingWebhookConfiguration extracts the applied configuration owned by fieldManager from
-// validatingWebhookConfiguration. If no managedFields are found in validatingWebhookConfiguration for fieldManager, a
-// ValidatingWebhookConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractValidatingWebhookConfigurationFrom extracts the applied configuration owned by fieldManager from
+// validatingWebhookConfiguration for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // validatingWebhookConfiguration must be a unmodified ValidatingWebhookConfiguration API object that was retrieved from the Kubernetes API.
-// ExtractValidatingWebhookConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractValidatingWebhookConfigurationFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractValidatingWebhookConfiguration(validatingWebhookConfiguration *admissionregistrationv1beta1.ValidatingWebhookConfiguration, fieldManager string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
-	return extractValidatingWebhookConfiguration(validatingWebhookConfiguration, fieldManager, "")
-}
-
-// ExtractValidatingWebhookConfigurationStatus is the same as ExtractValidatingWebhookConfiguration except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractValidatingWebhookConfigurationStatus(validatingWebhookConfiguration *admissionregistrationv1beta1.ValidatingWebhookConfiguration, fieldManager string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
-	return extractValidatingWebhookConfiguration(validatingWebhookConfiguration, fieldManager, "status")
-}
-
-func extractValidatingWebhookConfiguration(validatingWebhookConfiguration *admissionregistrationv1beta1.ValidatingWebhookConfiguration, fieldManager string, subresource string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
+func ExtractValidatingWebhookConfigurationFrom(validatingWebhookConfiguration *admissionregistrationv1beta1.ValidatingWebhookConfiguration, fieldManager string, subresource string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
 	b := &ValidatingWebhookConfigurationApplyConfiguration{}
 	err := managedfields.ExtractInto(validatingWebhookConfiguration, internal.Parser().Type("io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfiguration"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +69,21 @@ func extractValidatingWebhookConfiguration(validatingWebhookConfiguration *admis
 	b.WithAPIVersion("admissionregistration.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractValidatingWebhookConfiguration extracts the applied configuration owned by fieldManager from
+// validatingWebhookConfiguration. If no managedFields are found in validatingWebhookConfiguration for fieldManager, a
+// ValidatingWebhookConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// validatingWebhookConfiguration must be a unmodified ValidatingWebhookConfiguration API object that was retrieved from the Kubernetes API.
+// ExtractValidatingWebhookConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractValidatingWebhookConfiguration(validatingWebhookConfiguration *admissionregistrationv1beta1.ValidatingWebhookConfiguration, fieldManager string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
+	return ExtractValidatingWebhookConfigurationFrom(validatingWebhookConfiguration, fieldManager, "")
+}
+
 func (b ValidatingWebhookConfigurationApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value

applyconfigurations/admissionregistration/v1beta1/validation.go

@@ -24,11 +24,77 @@ import (
 
 // ValidationApplyConfiguration represents a declarative configuration of the Validation type for use
 // with apply.
+//
+// Validation specifies the CEL expression which is used to apply the validation.
 type ValidationApplyConfiguration struct {
-	Expression        *string          `json:"expression,omitempty"`
-	Message           *string          `json:"message,omitempty"`
-	Reason            *v1.StatusReason `json:"reason,omitempty"`
-	MessageExpression *string          `json:"messageExpression,omitempty"`
+	// expression represents the expression which will be evaluated by CEL.
+	// ref: https://github.com/google/cel-spec
+	// CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:
+	//
+	// - 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// - 'oldObject' - The existing object. The value is null for CREATE requests.
+	// - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
+	// - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
+	// - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
+	// - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
+	// For example, a variable named 'foo' can be accessed as 'variables.foo'.
+	// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	//
+	// The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
+	// object. No other metadata properties are accessible.
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Accessible property names are escaped according to the following rules when accessed in the expression:
+	// - '__' escapes to '__underscores__'
+	// - '.' escapes to '__dot__'
+	// - '-' escapes to '__dash__'
+	// - '/' escapes to '__slash__'
+	// - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:
+	// "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if",
+	// "import", "let", "loop", "package", "namespace", "return".
+	// Examples:
+	// - Expression accessing a property named "namespace": {"Expression": "object.__namespace__ > 0"}
+	// - Expression accessing a property named "x-prop": {"Expression": "object.x__dash__prop > 0"}
+	// - Expression accessing a property named "redact__d": {"Expression": "object.redact__underscores__d > 0"}
+	//
+	// Equality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].
+	// Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
+	// - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and
+	// non-intersecting elements in `Y` are appended, retaining their partial order.
+	// - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values
+	// are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with
+	// non-intersecting keys are appended, retaining their partial order.
+	// Required.
+	Expression *string `json:"expression,omitempty"`
+	// message represents the message displayed when validation fails. The message is required if the Expression contains
+	// line breaks. The message must not contain line breaks.
+	// If unset, the message is "failed rule: {Rule}".
+	// e.g. "must be a URL with the host matching spec.host"
+	// If the Expression contains line breaks. Message is required.
+	// The message must not contain line breaks.
+	// If unset, the message is "failed Expression: {Expression}".
+	Message *string `json:"message,omitempty"`
+	// reason represents a machine-readable description of why this validation failed.
+	// If this is the first validation in the list to fail, this reason, as well as the
+	// corresponding HTTP response code, are used in the
+	// HTTP response to the client.
+	// The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+	// If not set, StatusReasonInvalid is used in the response to the client.
+	Reason *v1.StatusReason `json:"reason,omitempty"`
+	// messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+	// Since messageExpression is used as a failure message, it must evaluate to a string.
+	// If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+	// If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+	// as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+	// that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+	// the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+	// messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+	// Example:
+	// "object.x must be less than max ("+string(params.max)+")"
+	MessageExpression *string `json:"messageExpression,omitempty"`
 }
 
 // ValidationApplyConfiguration constructs a declarative configuration of the Validation type for use with

applyconfigurations/admissionregistration/v1beta1/variable.go

@@ -20,8 +20,15 @@ package v1beta1
 
 // VariableApplyConfiguration represents a declarative configuration of the Variable type for use
 // with apply.
+//
+// Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.
 type VariableApplyConfiguration struct {
-	Name       *string `json:"name,omitempty"`
+	// name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+	// The variable can be accessed in other expressions through `variables`
+	// For example, if name is "foo", the variable will be available as `variables.foo`
+	Name *string `json:"name,omitempty"`
+	// expression is the expression that will be evaluated as the value of the variable.
+	// The CEL expression has access to the same identifiers as the CEL expressions in Validation.
 	Expression *string `json:"expression,omitempty"`
 }
 

applyconfigurations/admissionregistration/v1beta1/webhookclientconfig.go

@@ -20,10 +20,44 @@ package v1beta1
 
 // WebhookClientConfigApplyConfiguration represents a declarative configuration of the WebhookClientConfig type for use
 // with apply.
+//
+// WebhookClientConfig contains the information to make a TLS
+// connection with the webhook
 type WebhookClientConfigApplyConfiguration struct {
-	URL      *string                             `json:"url,omitempty"`
-	Service  *ServiceReferenceApplyConfiguration `json:"service,omitempty"`
-	CABundle []byte                              `json:"caBundle,omitempty"`
+	// url gives the location of the webhook, in standard URL form
+	// (`scheme://host:port/path`). Exactly one of `url` or `service`
+	// must be specified.
+	//
+	// The `host` should not refer to a service running in the cluster; use
+	// the `service` field instead. The host might be resolved via external
+	// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
+	// in-cluster DNS as that would be a layering violation). `host` may
+	// also be an IP address.
+	//
+	// Please note that using `localhost` or `127.0.0.1` as a `host` is
+	// risky unless you take great care to run this webhook on all hosts
+	// which run an apiserver which might need to make calls to this
+	// webhook. Such installs are likely to be non-portable, i.e., not easy
+	// to turn up in a new cluster.
+	//
+	// The scheme must be "https"; the URL must begin with "https://".
+	//
+	// A path is optional, and if present may be any string permissible in
+	// a URL. You may use the path to pass an arbitrary string to the
+	// webhook, for example, a cluster identifier.
+	//
+	// Attempting to use a user or basic auth e.g. "user:password@" is not
+	// allowed. Fragments ("#...") and query parameters ("?...") are not
+	// allowed, either.
+	URL *string `json:"url,omitempty"`
+	// service is a reference to the service for this webhook. Either
+	// `service` or `url` must be specified.
+	//
+	// If the webhook is running within the cluster, then you should use `service`.
+	Service *ServiceReferenceApplyConfiguration `json:"service,omitempty"`
+	// caBundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
+	// If unspecified, system trust roots on the apiserver are used.
+	CABundle []byte `json:"caBundle,omitempty"`
 }
 
 // WebhookClientConfigApplyConfiguration constructs a declarative configuration of the WebhookClientConfig type for use with

applyconfigurations/apiserverinternal/v1alpha1/serverstorageversion.go

@@ -20,11 +20,22 @@ package v1alpha1
 
 // ServerStorageVersionApplyConfiguration represents a declarative configuration of the ServerStorageVersion type for use
 // with apply.
+//
+// An API server instance reports the version it can decode and the version it
+// encodes objects to when persisting objects in the backend.
 type ServerStorageVersionApplyConfiguration struct {
-	APIServerID       *string  `json:"apiServerID,omitempty"`
-	EncodingVersion   *string  `json:"encodingVersion,omitempty"`
+	// apiServerID is the ID of the reporting API server.
+	APIServerID *string `json:"apiServerID,omitempty"`
+	// encodingVersion the API server encodes the object to when persisting it in
+	// the backend (e.g., etcd).
+	EncodingVersion *string `json:"encodingVersion,omitempty"`
+	// decodableVersions are the encoding versions the API server can handle to decode.
+	// The API server can decode objects encoded in these versions.
+	// The encodingVersion must be included in the decodableVersions.
 	DecodableVersions []string `json:"decodableVersions,omitempty"`
-	ServedVersions    []string `json:"servedVersions,omitempty"`
+	// servedVersions lists all versions the API server can serve.
+	// DecodableVersions must include all ServedVersions.
+	ServedVersions []string `json:"servedVersions,omitempty"`
 }
 
 // ServerStorageVersionApplyConfiguration constructs a declarative configuration of the ServerStorageVersion type for use with

applyconfigurations/apiserverinternal/v1alpha1/storageversion.go

@@ -29,11 +29,18 @@ import (
 
 // StorageVersionApplyConfiguration represents a declarative configuration of the StorageVersion type for use
 // with apply.
+//
+// Storage version of a specific resource.
 type StorageVersionApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:""`
+	// metadata is the standard object metadata.
+	// The name is <group>.<resource>.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *apiserverinternalv1alpha1.StorageVersionSpec `json:"spec,omitempty"`
-	Status                           *StorageVersionStatusApplyConfiguration       `json:"status,omitempty"`
+	// spec is an empty spec. It is here to comply with Kubernetes API style.
+	Spec *apiserverinternalv1alpha1.StorageVersionSpec `json:"spec,omitempty"`
+	// status on the version the API server instance can decode from and
+	// encode objects to when persisting objects in the backend.
+	Status *StorageVersionStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // StorageVersion constructs a declarative configuration of the StorageVersion type for use with
@@ -46,29 +53,14 @@ func StorageVersion(name string) *StorageVersionApplyConfiguration {
 	return b
 }
 
-// ExtractStorageVersion extracts the applied configuration owned by fieldManager from
-// storageVersion. If no managedFields are found in storageVersion for fieldManager, a
-// StorageVersionApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractStorageVersionFrom extracts the applied configuration owned by fieldManager from
+// storageVersion for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // storageVersion must be a unmodified StorageVersion API object that was retrieved from the Kubernetes API.
-// ExtractStorageVersion provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractStorageVersionFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractStorageVersion(storageVersion *apiserverinternalv1alpha1.StorageVersion, fieldManager string) (*StorageVersionApplyConfiguration, error) {
-	return extractStorageVersion(storageVersion, fieldManager, "")
-}
-
-// ExtractStorageVersionStatus is the same as ExtractStorageVersion except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractStorageVersionStatus(storageVersion *apiserverinternalv1alpha1.StorageVersion, fieldManager string) (*StorageVersionApplyConfiguration, error) {
-	return extractStorageVersion(storageVersion, fieldManager, "status")
-}
-
-func extractStorageVersion(storageVersion *apiserverinternalv1alpha1.StorageVersion, fieldManager string, subresource string) (*StorageVersionApplyConfiguration, error) {
+func ExtractStorageVersionFrom(storageVersion *apiserverinternalv1alpha1.StorageVersion, fieldManager string, subresource string) (*StorageVersionApplyConfiguration, error) {
 	b := &StorageVersionApplyConfiguration{}
 	err := managedfields.ExtractInto(storageVersion, internal.Parser().Type("io.k8s.api.apiserverinternal.v1alpha1.StorageVersion"), fieldManager, b, subresource)
 	if err != nil {
@@ -80,6 +72,27 @@ func extractStorageVersion(storageVersion *apiserverinternalv1alpha1.StorageVers
 	b.WithAPIVersion("internal.apiserver.k8s.io/v1alpha1")
 	return b, nil
 }
+
+// ExtractStorageVersion extracts the applied configuration owned by fieldManager from
+// storageVersion. If no managedFields are found in storageVersion for fieldManager, a
+// StorageVersionApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// storageVersion must be a unmodified StorageVersion API object that was retrieved from the Kubernetes API.
+// ExtractStorageVersion provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractStorageVersion(storageVersion *apiserverinternalv1alpha1.StorageVersion, fieldManager string) (*StorageVersionApplyConfiguration, error) {
+	return ExtractStorageVersionFrom(storageVersion, fieldManager, "")
+}
+
+// ExtractStorageVersionStatus extracts the applied configuration owned by fieldManager from
+// storageVersion for the status subresource.
+func ExtractStorageVersionStatus(storageVersion *apiserverinternalv1alpha1.StorageVersion, fieldManager string) (*StorageVersionApplyConfiguration, error) {
+	return ExtractStorageVersionFrom(storageVersion, fieldManager, "status")
+}
+
 func (b StorageVersionApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value

applyconfigurations/apiserverinternal/v1alpha1/storageversioncondition.go

@@ -25,13 +25,21 @@ import (
 
 // StorageVersionConditionApplyConfiguration represents a declarative configuration of the StorageVersionCondition type for use
 // with apply.
+//
+// Describes the state of the storageVersion at a certain point.
 type StorageVersionConditionApplyConfiguration struct {
-	Type               *apiserverinternalv1alpha1.StorageVersionConditionType `json:"type,omitempty"`
-	Status             *apiserverinternalv1alpha1.ConditionStatus             `json:"status,omitempty"`
-	ObservedGeneration *int64                                                 `json:"observedGeneration,omitempty"`
-	LastTransitionTime *v1.Time                                               `json:"lastTransitionTime,omitempty"`
-	Reason             *string                                                `json:"reason,omitempty"`
-	Message            *string                                                `json:"message,omitempty"`
+	// type of the condition.
+	Type *apiserverinternalv1alpha1.StorageVersionConditionType `json:"type,omitempty"`
+	// status of the condition, one of True, False, Unknown.
+	Status *apiserverinternalv1alpha1.ConditionStatus `json:"status,omitempty"`
+	// observedGeneration represents the .metadata.generation that the condition was set based upon, if field is set.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// lastTransitionTime is the last time the condition transitioned from one status to another.
+	LastTransitionTime *v1.Time `json:"lastTransitionTime,omitempty"`
+	// reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// message is a human readable string indicating details about the transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // StorageVersionConditionApplyConfiguration constructs a declarative configuration of the StorageVersionCondition type for use with

applyconfigurations/apiserverinternal/v1alpha1/storageversionstatus.go

@@ -20,10 +20,20 @@ package v1alpha1
 
 // StorageVersionStatusApplyConfiguration represents a declarative configuration of the StorageVersionStatus type for use
 // with apply.
+//
+// API server instances report the versions they can decode and the version they
+// encode objects to when persisting objects in the backend.
 type StorageVersionStatusApplyConfiguration struct {
-	StorageVersions       []ServerStorageVersionApplyConfiguration    `json:"storageVersions,omitempty"`
-	CommonEncodingVersion *string                                     `json:"commonEncodingVersion,omitempty"`
-	Conditions            []StorageVersionConditionApplyConfiguration `json:"conditions,omitempty"`
+	// storageVersions lists the reported versions per API server instance.
+	StorageVersions []ServerStorageVersionApplyConfiguration `json:"storageVersions,omitempty"`
+	// commonEncodingVersion is set to an encoding storage version if all API server
+	// instances share that same version. If they don't share one storage version, this
+	// field is left empty.
+	// API servers should finish updating its storageVersionStatus entry before
+	// serving write operations, so that this field will be in sync with the reality.
+	CommonEncodingVersion *string `json:"commonEncodingVersion,omitempty"`
+	// conditions lists the latest available observations of the storageVersion's state.
+	Conditions []StorageVersionConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // StorageVersionStatusApplyConfiguration constructs a declarative configuration of the StorageVersionStatus type for use with

applyconfigurations/apps/v1/controllerrevision.go

@@ -30,11 +30,25 @@ import (
 
 // ControllerRevisionApplyConfiguration represents a declarative configuration of the ControllerRevision type for use
 // with apply.
+//
+// ControllerRevision implements an immutable snapshot of state data. Clients
+// are responsible for serializing and deserializing the objects that contain
+// their internal state.
+// Once a ControllerRevision has been successfully created, it can not be updated.
+// The API Server will fail validation of all requests that attempt to mutate
+// the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both
+// the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However,
+// it may be subject to name and representation changes in future releases, and clients should not
+// depend on its stability. It is primarily for internal use by controllers.
 type ControllerRevisionApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:""`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Data                                 *runtime.RawExtension `json:"data,omitempty"`
-	Revision                             *int64                `json:"revision,omitempty"`
+	// Data is the serialized representation of the state.
+	Data *runtime.RawExtension `json:"data,omitempty"`
+	// Revision indicates the revision of the state represented by Data.
+	Revision *int64 `json:"revision,omitempty"`
 }
 
 // ControllerRevision constructs a declarative configuration of the ControllerRevision type for use with
@@ -48,29 +62,14 @@ func ControllerRevision(name, namespace string) *ControllerRevisionApplyConfigur
 	return b
 }
 
-// ExtractControllerRevision extracts the applied configuration owned by fieldManager from
-// controllerRevision. If no managedFields are found in controllerRevision for fieldManager, a
-// ControllerRevisionApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractControllerRevisionFrom extracts the applied configuration owned by fieldManager from
+// controllerRevision for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // controllerRevision must be a unmodified ControllerRevision API object that was retrieved from the Kubernetes API.
-// ExtractControllerRevision provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractControllerRevisionFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractControllerRevision(controllerRevision *appsv1.ControllerRevision, fieldManager string) (*ControllerRevisionApplyConfiguration, error) {
-	return extractControllerRevision(controllerRevision, fieldManager, "")
-}
-
-// ExtractControllerRevisionStatus is the same as ExtractControllerRevision except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractControllerRevisionStatus(controllerRevision *appsv1.ControllerRevision, fieldManager string) (*ControllerRevisionApplyConfiguration, error) {
-	return extractControllerRevision(controllerRevision, fieldManager, "status")
-}
-
-func extractControllerRevision(controllerRevision *appsv1.ControllerRevision, fieldManager string, subresource string) (*ControllerRevisionApplyConfiguration, error) {
+func ExtractControllerRevisionFrom(controllerRevision *appsv1.ControllerRevision, fieldManager string, subresource string) (*ControllerRevisionApplyConfiguration, error) {
 	b := &ControllerRevisionApplyConfiguration{}
 	err := managedfields.ExtractInto(controllerRevision, internal.Parser().Type("io.k8s.api.apps.v1.ControllerRevision"), fieldManager, b, subresource)
 	if err != nil {
@@ -83,6 +82,21 @@ func extractControllerRevision(controllerRevision *appsv1.ControllerRevision, fi
 	b.WithAPIVersion("apps/v1")
 	return b, nil
 }
+
+// ExtractControllerRevision extracts the applied configuration owned by fieldManager from
+// controllerRevision. If no managedFields are found in controllerRevision for fieldManager, a
+// ControllerRevisionApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// controllerRevision must be a unmodified ControllerRevision API object that was retrieved from the Kubernetes API.
+// ExtractControllerRevision provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractControllerRevision(controllerRevision *appsv1.ControllerRevision, fieldManager string) (*ControllerRevisionApplyConfiguration, error) {
+	return ExtractControllerRevisionFrom(controllerRevision, fieldManager, "")
+}
+
 func (b ControllerRevisionApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value

applyconfigurations/apps/v1/daemonset.go

@@ -29,11 +29,22 @@ import (
 
 // DaemonSetApplyConfiguration represents a declarative configuration of the DaemonSet type for use
 // with apply.
+//
+// DaemonSet represents the configuration of a daemon set.
 type DaemonSetApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:""`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *DaemonSetSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *DaemonSetStatusApplyConfiguration `json:"status,omitempty"`
+	// The desired behavior of this daemon set.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *DaemonSetSpecApplyConfiguration `json:"spec,omitempty"`
+	// The current status of this daemon set. This data may be
+	// out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *DaemonSetStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // DaemonSet constructs a declarative configuration of the DaemonSet type for use with
@@ -47,29 +58,14 @@ func DaemonSet(name, namespace string) *DaemonSetApplyConfiguration {
 	return b
 }
 
-// ExtractDaemonSet extracts the applied configuration owned by fieldManager from
-// daemonSet. If no managedFields are found in daemonSet for fieldManager, a
-// DaemonSetApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractDaemonSetFrom extracts the applied configuration owned by fieldManager from
+// daemonSet for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // daemonSet must be a unmodified DaemonSet API object that was retrieved from the Kubernetes API.
-// ExtractDaemonSet provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractDaemonSetFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractDaemonSet(daemonSet *appsv1.DaemonSet, fieldManager string) (*DaemonSetApplyConfiguration, error) {
-	return extractDaemonSet(daemonSet, fieldManager, "")
-}
-
-// ExtractDaemonSetStatus is the same as ExtractDaemonSet except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractDaemonSetStatus(daemonSet *appsv1.DaemonSet, fieldManager string) (*DaemonSetApplyConfiguration, error) {
-	return extractDaemonSet(daemonSet, fieldManager, "status")
-}
-
-func extractDaemonSet(daemonSet *appsv1.DaemonSet, fieldManager string, subresource string) (*DaemonSetApplyConfiguration, error) {
+func ExtractDaemonSetFrom(daemonSet *appsv1.DaemonSet, fieldManager string, subresource string) (*DaemonSetApplyConfiguration, error) {
 	b := &DaemonSetApplyConfiguration{}
 	err := managedfields.ExtractInto(daemonSet, internal.Parser().Type("io.k8s.api.apps.v1.DaemonSet"), fieldManager, b, subresource)
 	if err != nil {
@@ -82,6 +78,27 @@ func extractDaemonSet(daemonSet *appsv1.DaemonSet, fieldManager string, subresou
 	b.WithAPIVersion("apps/v1")
 	return b, nil
 }
+
+// ExtractDaemonSet extracts the applied configuration owned by fieldManager from
+// daemonSet. If no managedFields are found in daemonSet for fieldManager, a
+// DaemonSetApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// daemonSet must be a unmodified DaemonSet API object that was retrieved from the Kubernetes API.
+// ExtractDaemonSet provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractDaemonSet(daemonSet *appsv1.DaemonSet, fieldManager string) (*DaemonSetApplyConfiguration, error) {
+	return ExtractDaemonSetFrom(daemonSet, fieldManager, "")
+}
+
+// ExtractDaemonSetStatus extracts the applied configuration owned by fieldManager from
+// daemonSet for the status subresource.
+func ExtractDaemonSetStatus(daemonSet *appsv1.DaemonSet, fieldManager string) (*DaemonSetApplyConfiguration, error) {
+	return ExtractDaemonSetFrom(daemonSet, fieldManager, "status")
+}
+
 func (b DaemonSetApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value

applyconfigurations/apps/v1/daemonsetcondition.go

@@ -26,12 +26,20 @@ import (
 
 // DaemonSetConditionApplyConfiguration represents a declarative configuration of the DaemonSetCondition type for use
 // with apply.
+//
+// TODO: Add valid condition types of a DaemonSet.
+// DaemonSetCondition describes the state of a DaemonSet at a certain point.
 type DaemonSetConditionApplyConfiguration struct {
-	Type               *appsv1.DaemonSetConditionType `json:"type,omitempty"`
-	Status             *corev1.ConditionStatus        `json:"status,omitempty"`
-	LastTransitionTime *metav1.Time                   `json:"lastTransitionTime,omitempty"`
-	Reason             *string                        `json:"reason,omitempty"`
-	Message            *string                        `json:"message,omitempty"`
+	// Type of DaemonSet condition.
+	Type *appsv1.DaemonSetConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	Status *corev1.ConditionStatus `json:"status,omitempty"`
+	// Last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// The reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// A human readable message indicating details about the transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // DaemonSetConditionApplyConfiguration constructs a declarative configuration of the DaemonSetCondition type for use with

applyconfigurations/apps/v1/daemonsetspec.go

@@ -25,12 +25,32 @@ import (
 
 // DaemonSetSpecApplyConfiguration represents a declarative configuration of the DaemonSetSpec type for use
 // with apply.
+//
+// DaemonSetSpec is the specification of a daemon set.
 type DaemonSetSpecApplyConfiguration struct {
-	Selector             *metav1.LabelSelectorApplyConfiguration    `json:"selector,omitempty"`
-	Template             *corev1.PodTemplateSpecApplyConfiguration  `json:"template,omitempty"`
-	UpdateStrategy       *DaemonSetUpdateStrategyApplyConfiguration `json:"updateStrategy,omitempty"`
-	MinReadySeconds      *int32                                     `json:"minReadySeconds,omitempty"`
-	RevisionHistoryLimit *int32                                     `json:"revisionHistoryLimit,omitempty"`
+	// A label query over pods that are managed by the daemon set.
+	// Must match in order to be controlled.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	Selector *metav1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// An object that describes the pod that will be created.
+	// The DaemonSet will create exactly one copy of this pod on every node
+	// that matches the template's node selector (or on every node if no node
+	// selector is specified).
+	// The only allowed template.spec.restartPolicy value is "Always".
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+	Template *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
+	// An update strategy to replace existing DaemonSet pods with new pods.
+	UpdateStrategy *DaemonSetUpdateStrategyApplyConfiguration `json:"updateStrategy,omitempty"`
+	// The minimum number of seconds for which a newly created DaemonSet pod should
+	// be ready without any of its container crashing, for it to be considered
+	// available. Defaults to 0 (pod will be considered available as soon as it
+	// is ready).
+	MinReadySeconds *int32 `json:"minReadySeconds,omitempty"`
+	// The number of old history to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 10.
+	RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty"`
 }
 
 // DaemonSetSpecApplyConfiguration constructs a declarative configuration of the DaemonSetSpec type for use with

applyconfigurations/apps/v1/daemonsetstatus.go

@@ -20,17 +20,42 @@ package v1
 
 // DaemonSetStatusApplyConfiguration represents a declarative configuration of the DaemonSetStatus type for use
 // with apply.
+//
+// DaemonSetStatus represents the current status of a daemon set.
 type DaemonSetStatusApplyConfiguration struct {
-	CurrentNumberScheduled *int32                                 `json:"currentNumberScheduled,omitempty"`
-	NumberMisscheduled     *int32                                 `json:"numberMisscheduled,omitempty"`
-	DesiredNumberScheduled *int32                                 `json:"desiredNumberScheduled,omitempty"`
-	NumberReady            *int32                                 `json:"numberReady,omitempty"`
-	ObservedGeneration     *int64                                 `json:"observedGeneration,omitempty"`
-	UpdatedNumberScheduled *int32                                 `json:"updatedNumberScheduled,omitempty"`
-	NumberAvailable        *int32                                 `json:"numberAvailable,omitempty"`
-	NumberUnavailable      *int32                                 `json:"numberUnavailable,omitempty"`
-	CollisionCount         *int32                                 `json:"collisionCount,omitempty"`
-	Conditions             []DaemonSetConditionApplyConfiguration `json:"conditions,omitempty"`
+	// The number of nodes that are running at least 1
+	// daemon pod and are supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	CurrentNumberScheduled *int32 `json:"currentNumberScheduled,omitempty"`
+	// The number of nodes that are running the daemon pod, but are
+	// not supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	NumberMisscheduled *int32 `json:"numberMisscheduled,omitempty"`
+	// The total number of nodes that should be running the daemon
+	// pod (including nodes correctly running the daemon pod).
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	DesiredNumberScheduled *int32 `json:"desiredNumberScheduled,omitempty"`
+	// numberReady is the number of nodes that should be running the daemon pod and have one
+	// or more of the daemon pod running with a Ready Condition.
+	NumberReady *int32 `json:"numberReady,omitempty"`
+	// The most recent generation observed by the daemon set controller.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// The total number of nodes that are running updated daemon pod
+	UpdatedNumberScheduled *int32 `json:"updatedNumberScheduled,omitempty"`
+	// The number of nodes that should be running the
+	// daemon pod and have one or more of the daemon pod running and
+	// available (ready for at least spec.minReadySeconds)
+	NumberAvailable *int32 `json:"numberAvailable,omitempty"`
+	// The number of nodes that should be running the
+	// daemon pod and have none of the daemon pod running and available
+	// (ready for at least spec.minReadySeconds)
+	NumberUnavailable *int32 `json:"numberUnavailable,omitempty"`
+	// Count of hash collisions for the DaemonSet. The DaemonSet controller
+	// uses this field as a collision avoidance mechanism when it needs to
+	// create the name for the newest ControllerRevision.
+	CollisionCount *int32 `json:"collisionCount,omitempty"`
+	// Represents the latest available observations of a DaemonSet's current state.
+	Conditions []DaemonSetConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // DaemonSetStatusApplyConfiguration constructs a declarative configuration of the DaemonSetStatus type for use with

applyconfigurations/apps/v1/daemonsetupdatestrategy.go

@@ -24,8 +24,16 @@ import (
 
 // DaemonSetUpdateStrategyApplyConfiguration represents a declarative configuration of the DaemonSetUpdateStrategy type for use
 // with apply.
+//
+// DaemonSetUpdateStrategy is a struct used to control the update strategy for a DaemonSet.
 type DaemonSetUpdateStrategyApplyConfiguration struct {
-	Type          *appsv1.DaemonSetUpdateStrategyType       `json:"type,omitempty"`
+	// Type of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate.
+	Type *appsv1.DaemonSetUpdateStrategyType `json:"type,omitempty"`
+	// Rolling update config params. Present only if type = "RollingUpdate".
+	// ---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be. Same as Deployment `strategy.rollingUpdate`.
+	// See https://github.com/kubernetes/kubernetes/issues/35345
 	RollingUpdate *RollingUpdateDaemonSetApplyConfiguration `json:"rollingUpdate,omitempty"`
 }
 

applyconfigurations/apps/v1/deployment.go

@@ -29,11 +29,17 @@ import (
 
 // DeploymentApplyConfiguration represents a declarative configuration of the Deployment type for use
 // with apply.
+//
+// Deployment enables declarative updates for Pods and ReplicaSets.
 type DeploymentApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:""`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *DeploymentSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *DeploymentStatusApplyConfiguration `json:"status,omitempty"`
+	// Specification of the desired behavior of the Deployment.
+	Spec *DeploymentSpecApplyConfiguration `json:"spec,omitempty"`
+	// Most recently observed status of the Deployment.
+	Status *DeploymentStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // Deployment constructs a declarative configuration of the Deployment type for use with
@@ -47,29 +53,14 @@ func Deployment(name, namespace string) *DeploymentApplyConfiguration {
 	return b
 }
 
-// ExtractDeployment extracts the applied configuration owned by fieldManager from
-// deployment. If no managedFields are found in deployment for fieldManager, a
-// DeploymentApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractDeploymentFrom extracts the applied configuration owned by fieldManager from
+// deployment for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // deployment must be a unmodified Deployment API object that was retrieved from the Kubernetes API.
-// ExtractDeployment provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractDeploymentFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractDeployment(deployment *appsv1.Deployment, fieldManager string) (*DeploymentApplyConfiguration, error) {
-	return extractDeployment(deployment, fieldManager, "")
-}
-
-// ExtractDeploymentStatus is the same as ExtractDeployment except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractDeploymentStatus(deployment *appsv1.Deployment, fieldManager string) (*DeploymentApplyConfiguration, error) {
-	return extractDeployment(deployment, fieldManager, "status")
-}
-
-func extractDeployment(deployment *appsv1.Deployment, fieldManager string, subresource string) (*DeploymentApplyConfiguration, error) {
+func ExtractDeploymentFrom(deployment *appsv1.Deployment, fieldManager string, subresource string) (*DeploymentApplyConfiguration, error) {
 	b := &DeploymentApplyConfiguration{}
 	err := managedfields.ExtractInto(deployment, internal.Parser().Type("io.k8s.api.apps.v1.Deployment"), fieldManager, b, subresource)
 	if err != nil {
@@ -82,6 +73,33 @@ func extractDeployment(deployment *appsv1.Deployment, fieldManager string, subre
 	b.WithAPIVersion("apps/v1")
 	return b, nil
 }
+
+// ExtractDeployment extracts the applied configuration owned by fieldManager from
+// deployment. If no managedFields are found in deployment for fieldManager, a
+// DeploymentApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// deployment must be a unmodified Deployment API object that was retrieved from the Kubernetes API.
+// ExtractDeployment provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractDeployment(deployment *appsv1.Deployment, fieldManager string) (*DeploymentApplyConfiguration, error) {
+	return ExtractDeploymentFrom(deployment, fieldManager, "")
+}
+
+// ExtractDeploymentScale extracts the applied configuration owned by fieldManager from
+// deployment for the scale subresource.
+func ExtractDeploymentScale(deployment *appsv1.Deployment, fieldManager string) (*DeploymentApplyConfiguration, error) {
+	return ExtractDeploymentFrom(deployment, fieldManager, "scale")
+}
+
+// ExtractDeploymentStatus extracts the applied configuration owned by fieldManager from
+// deployment for the status subresource.
+func ExtractDeploymentStatus(deployment *appsv1.Deployment, fieldManager string) (*DeploymentApplyConfiguration, error) {
+	return ExtractDeploymentFrom(deployment, fieldManager, "status")
+}
+
 func (b DeploymentApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value

applyconfigurations/apps/v1/deploymentcondition.go

@@ -26,13 +26,21 @@ import (
 
 // DeploymentConditionApplyConfiguration represents a declarative configuration of the DeploymentCondition type for use
 // with apply.
+//
+// DeploymentCondition describes the state of a deployment at a certain point.
 type DeploymentConditionApplyConfiguration struct {
-	Type               *appsv1.DeploymentConditionType `json:"type,omitempty"`
-	Status             *corev1.ConditionStatus         `json:"status,omitempty"`
-	LastUpdateTime     *metav1.Time                    `json:"lastUpdateTime,omitempty"`
-	LastTransitionTime *metav1.Time                    `json:"lastTransitionTime,omitempty"`
-	Reason             *string                         `json:"reason,omitempty"`
-	Message            *string                         `json:"message,omitempty"`
+	// Type of deployment condition.
+	Type *appsv1.DeploymentConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	Status *corev1.ConditionStatus `json:"status,omitempty"`
+	// The last time this condition was updated.
+	LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
+	// Last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// The reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// A human readable message indicating details about the transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // DeploymentConditionApplyConfiguration constructs a declarative configuration of the DeploymentCondition type for use with

applyconfigurations/apps/v1/deploymentspec.go

@@ -25,15 +25,37 @@ import (
 
 // DeploymentSpecApplyConfiguration represents a declarative configuration of the DeploymentSpec type for use
 // with apply.
+//
+// DeploymentSpec is the specification of the desired behavior of the Deployment.
 type DeploymentSpecApplyConfiguration struct {
-	Replicas                *int32                                    `json:"replicas,omitempty"`
-	Selector                *metav1.LabelSelectorApplyConfiguration   `json:"selector,omitempty"`
-	Template                *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
-	Strategy                *DeploymentStrategyApplyConfiguration     `json:"strategy,omitempty"`
-	MinReadySeconds         *int32                                    `json:"minReadySeconds,omitempty"`
-	RevisionHistoryLimit    *int32                                    `json:"revisionHistoryLimit,omitempty"`
-	Paused                  *bool                                     `json:"paused,omitempty"`
-	ProgressDeadlineSeconds *int32                                    `json:"progressDeadlineSeconds,omitempty"`
+	// Number of desired pods. This is a pointer to distinguish between explicit
+	// zero and not specified. Defaults to 1.
+	Replicas *int32 `json:"replicas,omitempty"`
+	// Label selector for pods. Existing ReplicaSets whose pods are
+	// selected by this will be the ones affected by this deployment.
+	// It must match the pod template's labels.
+	Selector *metav1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// Template describes the pods that will be created.
+	// The only allowed template.spec.restartPolicy value is "Always".
+	Template *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
+	// The deployment strategy to use to replace existing pods with new ones.
+	Strategy *DeploymentStrategyApplyConfiguration `json:"strategy,omitempty"`
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	MinReadySeconds *int32 `json:"minReadySeconds,omitempty"`
+	// The number of old ReplicaSets to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 10.
+	RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty"`
+	// Indicates that the deployment is paused.
+	Paused *bool `json:"paused,omitempty"`
+	// The maximum time in seconds for a deployment to make progress before it
+	// is considered to be failed. The deployment controller will continue to
+	// process failed deployments and a condition with a ProgressDeadlineExceeded
+	// reason will be surfaced in the deployment status. Note that progress will
+	// not be estimated during the time a deployment is paused. Defaults to 600s.
+	ProgressDeadlineSeconds *int32 `json:"progressDeadlineSeconds,omitempty"`
 }
 
 // DeploymentSpecApplyConfiguration constructs a declarative configuration of the DeploymentSpec type for use with

applyconfigurations/apps/v1/deploymentstatus.go

@@ -20,16 +20,34 @@ package v1
 
 // DeploymentStatusApplyConfiguration represents a declarative configuration of the DeploymentStatus type for use
 // with apply.
+//
+// DeploymentStatus is the most recently observed status of the Deployment.
 type DeploymentStatusApplyConfiguration struct {
-	ObservedGeneration  *int64                                  `json:"observedGeneration,omitempty"`
-	Replicas            *int32                                  `json:"replicas,omitempty"`
-	UpdatedReplicas     *int32                                  `json:"updatedReplicas,omitempty"`
-	ReadyReplicas       *int32                                  `json:"readyReplicas,omitempty"`
-	AvailableReplicas   *int32                                  `json:"availableReplicas,omitempty"`
-	UnavailableReplicas *int32                                  `json:"unavailableReplicas,omitempty"`
-	TerminatingReplicas *int32                                  `json:"terminatingReplicas,omitempty"`
-	Conditions          []DeploymentConditionApplyConfiguration `json:"conditions,omitempty"`
-	CollisionCount      *int32                                  `json:"collisionCount,omitempty"`
+	// The generation observed by the deployment controller.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// Total number of non-terminating pods targeted by this deployment (their labels match the selector).
+	Replicas *int32 `json:"replicas,omitempty"`
+	// Total number of non-terminating pods targeted by this deployment that have the desired template spec.
+	UpdatedReplicas *int32 `json:"updatedReplicas,omitempty"`
+	// Total number of non-terminating pods targeted by this Deployment with a Ready Condition.
+	ReadyReplicas *int32 `json:"readyReplicas,omitempty"`
+	// Total number of available non-terminating pods (ready for at least minReadySeconds) targeted by this deployment.
+	AvailableReplicas *int32 `json:"availableReplicas,omitempty"`
+	// Total number of unavailable pods targeted by this deployment. This is the total number of
+	// pods that are still required for the deployment to have 100% available capacity. They may
+	// either be pods that are running but not yet available or pods that still have not been created.
+	UnavailableReplicas *int32 `json:"unavailableReplicas,omitempty"`
+	// Total number of terminating pods targeted by this deployment. Terminating pods have a non-null
+	// .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.
+	//
+	// This is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).
+	TerminatingReplicas *int32 `json:"terminatingReplicas,omitempty"`
+	// Represents the latest available observations of a deployment's current state.
+	Conditions []DeploymentConditionApplyConfiguration `json:"conditions,omitempty"`
+	// Count of hash collisions for the Deployment. The Deployment controller uses this
+	// field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ReplicaSet.
+	CollisionCount *int32 `json:"collisionCount,omitempty"`
 }
 
 // DeploymentStatusApplyConfiguration constructs a declarative configuration of the DeploymentStatus type for use with

applyconfigurations/apps/v1/deploymentstrategy.go

@@ -24,8 +24,16 @@ import (
 
 // DeploymentStrategyApplyConfiguration represents a declarative configuration of the DeploymentStrategy type for use
 // with apply.
+//
+// DeploymentStrategy describes how to replace existing pods with new ones.
 type DeploymentStrategyApplyConfiguration struct {
-	Type          *appsv1.DeploymentStrategyType             `json:"type,omitempty"`
+	// Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
+	Type *appsv1.DeploymentStrategyType `json:"type,omitempty"`
+	// Rolling update config params. Present only if DeploymentStrategyType =
+	// RollingUpdate.
+	// ---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be.
 	RollingUpdate *RollingUpdateDeploymentApplyConfiguration `json:"rollingUpdate,omitempty"`
 }
 

applyconfigurations/apps/v1/replicaset.go

@@ -29,11 +29,24 @@ import (
 
 // ReplicaSetApplyConfiguration represents a declarative configuration of the ReplicaSet type for use
 // with apply.
+//
+// ReplicaSet ensures that a specified number of pod replicas are running at any given time.
 type ReplicaSetApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:""`
+	// If the Labels of a ReplicaSet are empty, they are defaulted to
+	// be the same as the Pod(s) that the ReplicaSet manages.
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ReplicaSetSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *ReplicaSetStatusApplyConfiguration `json:"status,omitempty"`
+	// Spec defines the specification of the desired behavior of the ReplicaSet.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *ReplicaSetSpecApplyConfiguration `json:"spec,omitempty"`
+	// Status is the most recently observed status of the ReplicaSet.
+	// This data may be out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *ReplicaSetStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ReplicaSet constructs a declarative configuration of the ReplicaSet type for use with
@@ -47,29 +60,14 @@ func ReplicaSet(name, namespace string) *ReplicaSetApplyConfiguration {
 	return b
 }
 
-// ExtractReplicaSet extracts the applied configuration owned by fieldManager from
-// replicaSet. If no managedFields are found in replicaSet for fieldManager, a
-// ReplicaSetApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractReplicaSetFrom extracts the applied configuration owned by fieldManager from
+// replicaSet for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // replicaSet must be a unmodified ReplicaSet API object that was retrieved from the Kubernetes API.
-// ExtractReplicaSet provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractReplicaSetFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractReplicaSet(replicaSet *appsv1.ReplicaSet, fieldManager string) (*ReplicaSetApplyConfiguration, error) {
-	return extractReplicaSet(replicaSet, fieldManager, "")
-}
-
-// ExtractReplicaSetStatus is the same as ExtractReplicaSet except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractReplicaSetStatus(replicaSet *appsv1.ReplicaSet, fieldManager string) (*ReplicaSetApplyConfiguration, error) {
-	return extractReplicaSet(replicaSet, fieldManager, "status")
-}
-
-func extractReplicaSet(replicaSet *appsv1.ReplicaSet, fieldManager string, subresource string) (*ReplicaSetApplyConfiguration, error) {
+func ExtractReplicaSetFrom(replicaSet *appsv1.ReplicaSet, fieldManager string, subresource string) (*ReplicaSetApplyConfiguration, error) {
 	b := &ReplicaSetApplyConfiguration{}
 	err := managedfields.ExtractInto(replicaSet, internal.Parser().Type("io.k8s.api.apps.v1.ReplicaSet"), fieldManager, b, subresource)
 	if err != nil {
@@ -82,6 +80,33 @@ func extractReplicaSet(replicaSet *appsv1.ReplicaSet, fieldManager string, subre
 	b.WithAPIVersion("apps/v1")
 	return b, nil
 }
+
+// ExtractReplicaSet extracts the applied configuration owned by fieldManager from
+// replicaSet. If no managedFields are found in replicaSet for fieldManager, a
+// ReplicaSetApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// replicaSet must be a unmodified ReplicaSet API object that was retrieved from the Kubernetes API.
+// ExtractReplicaSet provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractReplicaSet(replicaSet *appsv1.ReplicaSet, fieldManager string) (*ReplicaSetApplyConfiguration, error) {
+	return ExtractReplicaSetFrom(replicaSet, fieldManager, "")
+}
+
+// ExtractReplicaSetScale extracts the applied configuration owned by fieldManager from
+// replicaSet for the scale subresource.
+func ExtractReplicaSetScale(replicaSet *appsv1.ReplicaSet, fieldManager string) (*ReplicaSetApplyConfiguration, error) {
+	return ExtractReplicaSetFrom(replicaSet, fieldManager, "scale")
+}
+
+// ExtractReplicaSetStatus extracts the applied configuration owned by fieldManager from
+// replicaSet for the status subresource.
+func ExtractReplicaSetStatus(replicaSet *appsv1.ReplicaSet, fieldManager string) (*ReplicaSetApplyConfiguration, error) {
+	return ExtractReplicaSetFrom(replicaSet, fieldManager, "status")
+}
+
 func (b ReplicaSetApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value

applyconfigurations/apps/v1/replicasetcondition.go

@@ -26,12 +26,19 @@ import (
 
 // ReplicaSetConditionApplyConfiguration represents a declarative configuration of the ReplicaSetCondition type for use
 // with apply.
+//
+// ReplicaSetCondition describes the state of a replica set at a certain point.
 type ReplicaSetConditionApplyConfiguration struct {
-	Type               *appsv1.ReplicaSetConditionType `json:"type,omitempty"`
-	Status             *corev1.ConditionStatus         `json:"status,omitempty"`
-	LastTransitionTime *metav1.Time                    `json:"lastTransitionTime,omitempty"`
-	Reason             *string                         `json:"reason,omitempty"`
-	Message            *string                         `json:"message,omitempty"`
+	// Type of replica set condition.
+	Type *appsv1.ReplicaSetConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	Status *corev1.ConditionStatus `json:"status,omitempty"`
+	// The last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// The reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// A human readable message indicating details about the transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // ReplicaSetConditionApplyConfiguration constructs a declarative configuration of the ReplicaSetCondition type for use with