working commit

2026-03-13 19:02:42 +02:00
parent bebbf79c7a
commit 5c1da77f4c
1329 changed files with 314708 additions and 39 deletions
@@ -0,0 +1,25 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package
+// +k8s:protobuf-gen=package
+// +k8s:openapi-gen=false
+// +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.admission.v1
+
+// +groupName=admission.k8s.io
+
+package v1
@@ -0,0 +1,168 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = "proto2";
+
+package k8s.io.api.admission.v1;
+
+import "k8s.io/api/authentication/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "k8s.io/api/admission/v1";
+
+// AdmissionRequest describes the admission.Attributes for the admission request.
+message AdmissionRequest {
+  // uid is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
+  // otherwise identical (parallel requests, requests when earlier requests did not modify etc)
+  // The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
+  // It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
+  optional string uid = 1;
+
+  // kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionKind kind = 2;
+
+  // resource is the fully-qualified resource being requested (for example, v1.pods)
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionResource resource = 3;
+
+  // subResource is the subresource being requested, if any (for example, "status" or "scale")
+  // +optional
+  optional string subResource = 4;
+
+  // requestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
+  // If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
+  //
+  // For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
+  // `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
+  // an API request to apps/v1beta1 deployments would be converted and sent to the webhook
+  // with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
+  // and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
+  //
+  // See documentation for the "matchPolicy" field in the webhook configuration type for more details.
+  // +optional
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionKind requestKind = 13;
+
+  // requestResource is the fully-qualified resource of the original API request (for example, v1.pods).
+  // If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
+  //
+  // For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
+  // `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
+  // an API request to apps/v1beta1 deployments would be converted and sent to the webhook
+  // with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
+  // and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
+  //
+  // See documentation for the "matchPolicy" field in the webhook configuration type.
+  // +optional
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionResource requestResource = 14;
+
+  // requestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
+  // If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
+  // See documentation for the "matchPolicy" field in the webhook configuration type.
+  // +optional
+  optional string requestSubResource = 15;
+
+  // name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
+  // rely on the server to generate the name.  If that is the case, this field will contain an empty string.
+  // +optional
+  optional string name = 5;
+
+  // namespace is the namespace associated with the request (if any).
+  // +optional
+  optional string namespace = 6;
+
+  // operation is the operation being performed. This may be different than the operation
+  // requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
+  optional string operation = 7;
+
+  // userInfo is information about the requesting user
+  optional .k8s.io.api.authentication.v1.UserInfo userInfo = 8;
+
+  // object is the object from the incoming request.
+  // +optional
+  optional .k8s.io.apimachinery.pkg.runtime.RawExtension object = 9;
+
+  // oldObject is the existing object. Only populated for DELETE and UPDATE requests.
+  // +optional
+  optional .k8s.io.apimachinery.pkg.runtime.RawExtension oldObject = 10;
+
+  // dryRun indicates that modifications will definitely not be persisted for this request.
+  // Defaults to false.
+  // +optional
+  optional bool dryRun = 11;
+
+  // options is the operation option structure of the operation being performed.
+  // e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
+  // different than the options the caller provided. e.g. for a patch request the performed
+  // Operation might be a CREATE, in which case the Options will a
+  // `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
+  // +optional
+  optional .k8s.io.apimachinery.pkg.runtime.RawExtension options = 12;
+}
+
+// AdmissionResponse describes an admission response.
+message AdmissionResponse {
+  // uid is an identifier for the individual request/response.
+  // This must be copied over from the corresponding AdmissionRequest.
+  optional string uid = 1;
+
+  // allowed indicates whether or not the admission request was permitted.
+  optional bool allowed = 2;
+
+  // status is the result contains extra details into why an admission request was denied.
+  // This field IS NOT consulted in any way if "Allowed" is "true".
+  // +optional
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.Status status = 3;
+
+  // patch is the patch body. Currently we only support "JSONPatch" which implements RFC 6902.
+  // +optional
+  optional bytes patch = 4;
+
+  // patchType is the type of Patch. Currently we only allow "JSONPatch".
+  // +optional
+  optional string patchType = 5;
+
+  // auditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
+  // MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with
+  // admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by
+  // the admission webhook to add additional context to the audit log for this request.
+  // +optional
+  map<string, string> auditAnnotations = 6;
+
+  // warnings is a list of warning messages to return to the requesting API client.
+  // Warning messages describe a problem the client making the API request should correct or be aware of.
+  // Limit warnings to 120 characters if possible.
+  // Warnings over 256 characters and large numbers of warnings may be truncated.
+  // +optional
+  // +listType=atomic
+  repeated string warnings = 7;
+}
+
+// AdmissionReview describes an admission review request/response.
+message AdmissionReview {
+  // request describes the attributes for the admission request.
+  // +optional
+  optional AdmissionRequest request = 1;
+
+  // response describes the attributes for the admission response.
+  // +optional
+  optional AdmissionResponse response = 2;
+}
+
@@ -0,0 +1,28 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*AdmissionRequest) ProtoMessage() {}
+
+func (*AdmissionResponse) ProtoMessage() {}
+
+func (*AdmissionReview) ProtoMessage() {}
@@ -0,0 +1,53 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name for this API.
+const GroupName = "admission.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+var (
+	// SchemeBuilder points to a list of functions added to Scheme.
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	// AddToScheme is a common registration function for mapping packaged scoped group & version keys to a scheme.
+	AddToScheme = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&AdmissionReview{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
@@ -0,0 +1,171 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	authenticationv1 "k8s.io/api/authentication/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +k8s:prerelease-lifecycle-gen:introduced=1.19
+
+// AdmissionReview describes an admission review request/response.
+type AdmissionReview struct {
+	metav1.TypeMeta `json:",inline"`
+	// request describes the attributes for the admission request.
+	// +optional
+	Request *AdmissionRequest `json:"request,omitempty" protobuf:"bytes,1,opt,name=request"`
+	// response describes the attributes for the admission response.
+	// +optional
+	Response *AdmissionResponse `json:"response,omitempty" protobuf:"bytes,2,opt,name=response"`
+}
+
+// AdmissionRequest describes the admission.Attributes for the admission request.
+type AdmissionRequest struct {
+	// uid is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
+	// otherwise identical (parallel requests, requests when earlier requests did not modify etc)
+	// The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
+	// It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
+	UID types.UID `json:"uid" protobuf:"bytes,1,opt,name=uid"`
+	// kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)
+	Kind metav1.GroupVersionKind `json:"kind" protobuf:"bytes,2,opt,name=kind"`
+	// resource is the fully-qualified resource being requested (for example, v1.pods)
+	Resource metav1.GroupVersionResource `json:"resource" protobuf:"bytes,3,opt,name=resource"`
+	// subResource is the subresource being requested, if any (for example, "status" or "scale")
+	// +optional
+	SubResource string `json:"subResource,omitempty" protobuf:"bytes,4,opt,name=subResource"`
+
+	// requestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
+	// If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
+	//
+	// For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
+	// `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
+	// an API request to apps/v1beta1 deployments would be converted and sent to the webhook
+	// with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
+	// and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
+	//
+	// See documentation for the "matchPolicy" field in the webhook configuration type for more details.
+	// +optional
+	RequestKind *metav1.GroupVersionKind `json:"requestKind,omitempty" protobuf:"bytes,13,opt,name=requestKind"`
+	// requestResource is the fully-qualified resource of the original API request (for example, v1.pods).
+	// If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
+	//
+	// For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
+	// `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
+	// an API request to apps/v1beta1 deployments would be converted and sent to the webhook
+	// with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
+	// and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
+	//
+	// See documentation for the "matchPolicy" field in the webhook configuration type.
+	// +optional
+	RequestResource *metav1.GroupVersionResource `json:"requestResource,omitempty" protobuf:"bytes,14,opt,name=requestResource"`
+	// requestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
+	// If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
+	// See documentation for the "matchPolicy" field in the webhook configuration type.
+	// +optional
+	RequestSubResource string `json:"requestSubResource,omitempty" protobuf:"bytes,15,opt,name=requestSubResource"`
+
+	// name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
+	// rely on the server to generate the name.  If that is the case, this field will contain an empty string.
+	// +optional
+	Name string `json:"name,omitempty" protobuf:"bytes,5,opt,name=name"`
+	// namespace is the namespace associated with the request (if any).
+	// +optional
+	Namespace string `json:"namespace,omitempty" protobuf:"bytes,6,opt,name=namespace"`
+	// operation is the operation being performed. This may be different than the operation
+	// requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
+	Operation Operation `json:"operation" protobuf:"bytes,7,opt,name=operation"`
+	// userInfo is information about the requesting user
+	UserInfo authenticationv1.UserInfo `json:"userInfo" protobuf:"bytes,8,opt,name=userInfo"`
+	// object is the object from the incoming request.
+	// +optional
+	Object runtime.RawExtension `json:"object,omitempty" protobuf:"bytes,9,opt,name=object"`
+	// oldObject is the existing object. Only populated for DELETE and UPDATE requests.
+	// +optional
+	OldObject runtime.RawExtension `json:"oldObject,omitempty" protobuf:"bytes,10,opt,name=oldObject"`
+	// dryRun indicates that modifications will definitely not be persisted for this request.
+	// Defaults to false.
+	// +optional
+	DryRun *bool `json:"dryRun,omitempty" protobuf:"varint,11,opt,name=dryRun"`
+	// options is the operation option structure of the operation being performed.
+	// e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
+	// different than the options the caller provided. e.g. for a patch request the performed
+	// Operation might be a CREATE, in which case the Options will a
+	// `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
+	// +optional
+	Options runtime.RawExtension `json:"options,omitempty" protobuf:"bytes,12,opt,name=options"`
+}
+
+// AdmissionResponse describes an admission response.
+type AdmissionResponse struct {
+	// uid is an identifier for the individual request/response.
+	// This must be copied over from the corresponding AdmissionRequest.
+	UID types.UID `json:"uid" protobuf:"bytes,1,opt,name=uid"`
+
+	// allowed indicates whether or not the admission request was permitted.
+	Allowed bool `json:"allowed" protobuf:"varint,2,opt,name=allowed"`
+
+	// status is the result contains extra details into why an admission request was denied.
+	// This field IS NOT consulted in any way if "Allowed" is "true".
+	// +optional
+	Result *metav1.Status `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+
+	// patch is the patch body. Currently we only support "JSONPatch" which implements RFC 6902.
+	// +optional
+	Patch []byte `json:"patch,omitempty" protobuf:"bytes,4,opt,name=patch"`
+
+	// patchType is the type of Patch. Currently we only allow "JSONPatch".
+	// +optional
+	PatchType *PatchType `json:"patchType,omitempty" protobuf:"bytes,5,opt,name=patchType"`
+
+	// auditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
+	// MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with
+	// admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by
+	// the admission webhook to add additional context to the audit log for this request.
+	// +optional
+	AuditAnnotations map[string]string `json:"auditAnnotations,omitempty" protobuf:"bytes,6,opt,name=auditAnnotations"`
+
+	// warnings is a list of warning messages to return to the requesting API client.
+	// Warning messages describe a problem the client making the API request should correct or be aware of.
+	// Limit warnings to 120 characters if possible.
+	// Warnings over 256 characters and large numbers of warnings may be truncated.
+	// +optional
+	// +listType=atomic
+	Warnings []string `json:"warnings,omitempty" protobuf:"bytes,7,rep,name=warnings"`
+}
+
+// PatchType is the type of patch being used to represent the mutated object
+type PatchType string
+
+// PatchType constants.
+const (
+	PatchTypeJSONPatch PatchType = "JSONPatch"
+)
+
+// Operation is the type of resource operation being checked for admission control
+type Operation string
+
+// Operation constants
+const (
+	Create  Operation = "CREATE"
+	Update  Operation = "UPDATE"
+	Delete  Operation = "DELETE"
+	Connect Operation = "CONNECT"
+)
@@ -0,0 +1,78 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-codegen.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE. DO NOT EDIT.
+var map_AdmissionRequest = map[string]string{
+	"":                   "AdmissionRequest describes the admission.Attributes for the admission request.",
+	"uid":                "uid is an identifier for the individual request/response. It allows us to distinguish instances of requests which are otherwise identical (parallel requests, requests when earlier requests did not modify etc) The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.",
+	"kind":               "kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)",
+	"resource":           "resource is the fully-qualified resource being requested (for example, v1.pods)",
+	"subResource":        "subResource is the subresource being requested, if any (for example, \"status\" or \"scale\")",
+	"requestKind":        "requestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). If this is specified and differs from the value in \"kind\", an equivalent match and conversion was performed.\n\nFor example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]` and `matchPolicy: Equivalent`, an API request to apps/v1beta1 deployments would be converted and sent to the webhook with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}` (matching the rule the webhook registered for), and `requestKind: {group:\"apps\", version:\"v1beta1\", kind:\"Deployment\"}` (indicating the kind of the original API request).\n\nSee documentation for the \"matchPolicy\" field in the webhook configuration type for more details.",
+	"requestResource":    "requestResource is the fully-qualified resource of the original API request (for example, v1.pods). If this is specified and differs from the value in \"resource\", an equivalent match and conversion was performed.\n\nFor example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]` and `matchPolicy: Equivalent`, an API request to apps/v1beta1 deployments would be converted and sent to the webhook with `resource: {group:\"apps\", version:\"v1\", resource:\"deployments\"}` (matching the resource the webhook registered for), and `requestResource: {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` (indicating the resource of the original API request).\n\nSee documentation for the \"matchPolicy\" field in the webhook configuration type.",
+	"requestSubResource": "requestSubResource is the name of the subresource of the original API request, if any (for example, \"status\" or \"scale\") If this is specified and differs from the value in \"subResource\", an equivalent match and conversion was performed. See documentation for the \"matchPolicy\" field in the webhook configuration type.",
+	"name":               "name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and rely on the server to generate the name.  If that is the case, this field will contain an empty string.",
+	"namespace":          "namespace is the namespace associated with the request (if any).",
+	"operation":          "operation is the operation being performed. This may be different than the operation requested. e.g. a patch can result in either a CREATE or UPDATE Operation.",
+	"userInfo":           "userInfo is information about the requesting user",
+	"object":             "object is the object from the incoming request.",
+	"oldObject":          "oldObject is the existing object. Only populated for DELETE and UPDATE requests.",
+	"dryRun":             "dryRun indicates that modifications will definitely not be persisted for this request. Defaults to false.",
+	"options":            "options is the operation option structure of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be different than the options the caller provided. e.g. for a patch request the performed Operation might be a CREATE, in which case the Options will a `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.",
+}
+
+func (AdmissionRequest) SwaggerDoc() map[string]string {
+	return map_AdmissionRequest
+}
+
+var map_AdmissionResponse = map[string]string{
+	"":                 "AdmissionResponse describes an admission response.",
+	"uid":              "uid is an identifier for the individual request/response. This must be copied over from the corresponding AdmissionRequest.",
+	"allowed":          "allowed indicates whether or not the admission request was permitted.",
+	"status":           "status is the result contains extra details into why an admission request was denied. This field IS NOT consulted in any way if \"Allowed\" is \"true\".",
+	"patch":            "patch is the patch body. Currently we only support \"JSONPatch\" which implements RFC 6902.",
+	"patchType":        "patchType is the type of Patch. Currently we only allow \"JSONPatch\".",
+	"auditAnnotations": "auditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted). MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by the admission webhook to add additional context to the audit log for this request.",
+	"warnings":         "warnings is a list of warning messages to return to the requesting API client. Warning messages describe a problem the client making the API request should correct or be aware of. Limit warnings to 120 characters if possible. Warnings over 256 characters and large numbers of warnings may be truncated.",
+}
+
+func (AdmissionResponse) SwaggerDoc() map[string]string {
+	return map_AdmissionResponse
+}
+
+var map_AdmissionReview = map[string]string{
+	"":         "AdmissionReview describes an admission review request/response.",
+	"request":  "request describes the attributes for the admission request.",
+	"response": "response describes the attributes for the admission response.",
+}
+
+func (AdmissionReview) SwaggerDoc() map[string]string {
+	return map_AdmissionReview
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
@@ -0,0 +1,142 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AdmissionRequest) DeepCopyInto(out *AdmissionRequest) {
+	*out = *in
+	out.Kind = in.Kind
+	out.Resource = in.Resource
+	if in.RequestKind != nil {
+		in, out := &in.RequestKind, &out.RequestKind
+		*out = new(metav1.GroupVersionKind)
+		**out = **in
+	}
+	if in.RequestResource != nil {
+		in, out := &in.RequestResource, &out.RequestResource
+		*out = new(metav1.GroupVersionResource)
+		**out = **in
+	}
+	in.UserInfo.DeepCopyInto(&out.UserInfo)
+	in.Object.DeepCopyInto(&out.Object)
+	in.OldObject.DeepCopyInto(&out.OldObject)
+	if in.DryRun != nil {
+		in, out := &in.DryRun, &out.DryRun
+		*out = new(bool)
+		**out = **in
+	}
+	in.Options.DeepCopyInto(&out.Options)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionRequest.
+func (in *AdmissionRequest) DeepCopy() *AdmissionRequest {
+	if in == nil {
+		return nil
+	}
+	out := new(AdmissionRequest)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AdmissionResponse) DeepCopyInto(out *AdmissionResponse) {
+	*out = *in
+	if in.Result != nil {
+		in, out := &in.Result, &out.Result
+		*out = new(metav1.Status)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Patch != nil {
+		in, out := &in.Patch, &out.Patch
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.PatchType != nil {
+		in, out := &in.PatchType, &out.PatchType
+		*out = new(PatchType)
+		**out = **in
+	}
+	if in.AuditAnnotations != nil {
+		in, out := &in.AuditAnnotations, &out.AuditAnnotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.Warnings != nil {
+		in, out := &in.Warnings, &out.Warnings
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionResponse.
+func (in *AdmissionResponse) DeepCopy() *AdmissionResponse {
+	if in == nil {
+		return nil
+	}
+	out := new(AdmissionResponse)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AdmissionReview) DeepCopyInto(out *AdmissionReview) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	if in.Request != nil {
+		in, out := &in.Request, &out.Request
+		*out = new(AdmissionRequest)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Response != nil {
+		in, out := &in.Response, &out.Response
+		*out = new(AdmissionResponse)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionReview.
+func (in *AdmissionReview) DeepCopy() *AdmissionReview {
+	if in == nil {
+		return nil
+	}
+	out := new(AdmissionReview)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *AdmissionReview) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
@@ -0,0 +1,37 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AdmissionRequest) OpenAPIModelName() string {
+	return "io.k8s.api.admission.v1.AdmissionRequest"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AdmissionResponse) OpenAPIModelName() string {
+	return "io.k8s.api.admission.v1.AdmissionResponse"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AdmissionReview) OpenAPIModelName() string {
+	return "io.k8s.api.admission.v1.AdmissionReview"
+}
@@ -0,0 +1,28 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by prerelease-lifecycle-gen. DO NOT EDIT.
+
+package v1
+
+// APILifecycleIntroduced is an autogenerated function, returning the release in which the API struct was introduced as int versions of major and minor for comparison.
+// It is controlled by "k8s:prerelease-lifecycle-gen:introduced" tags in types.go.
+func (in *AdmissionReview) APILifecycleIntroduced() (major, minor int) {
+	return 1, 19
+}
@@ -0,0 +1,25 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package
+// +k8s:protobuf-gen=package
+// +k8s:openapi-gen=false
+// +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.admission.v1beta1
+
+// +groupName=admission.k8s.io
+
+package v1beta1
@@ -0,0 +1,168 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = "proto2";
+
+package k8s.io.api.admission.v1beta1;
+
+import "k8s.io/api/authentication/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "k8s.io/api/admission/v1beta1";
+
+// AdmissionRequest describes the admission.Attributes for the admission request.
+message AdmissionRequest {
+  // uid is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
+  // otherwise identical (parallel requests, requests when earlier requests did not modify etc)
+  // The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
+  // It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
+  optional string uid = 1;
+
+  // kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionKind kind = 2;
+
+  // resource is the fully-qualified resource being requested (for example, v1.pods)
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionResource resource = 3;
+
+  // subResource is the subresource being requested, if any (for example, "status" or "scale")
+  // +optional
+  optional string subResource = 4;
+
+  // requestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
+  // If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
+  //
+  // For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
+  // `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
+  // an API request to apps/v1beta1 deployments would be converted and sent to the webhook
+  // with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
+  // and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
+  //
+  // See documentation for the "matchPolicy" field in the webhook configuration type for more details.
+  // +optional
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionKind requestKind = 13;
+
+  // requestResource is the fully-qualified resource of the original API request (for example, v1.pods).
+  // If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
+  //
+  // For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
+  // `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
+  // an API request to apps/v1beta1 deployments would be converted and sent to the webhook
+  // with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
+  // and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
+  //
+  // See documentation for the "matchPolicy" field in the webhook configuration type.
+  // +optional
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionResource requestResource = 14;
+
+  // requestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
+  // If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
+  // See documentation for the "matchPolicy" field in the webhook configuration type.
+  // +optional
+  optional string requestSubResource = 15;
+
+  // name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
+  // rely on the server to generate the name.  If that is the case, this field will contain an empty string.
+  // +optional
+  optional string name = 5;
+
+  // namespace is the namespace associated with the request (if any).
+  // +optional
+  optional string namespace = 6;
+
+  // operation is the operation being performed. This may be different than the operation
+  // requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
+  optional string operation = 7;
+
+  // userInfo is information about the requesting user
+  optional .k8s.io.api.authentication.v1.UserInfo userInfo = 8;
+
+  // object is the object from the incoming request.
+  // +optional
+  optional .k8s.io.apimachinery.pkg.runtime.RawExtension object = 9;
+
+  // oldObject is the existing object. Only populated for DELETE and UPDATE requests.
+  // +optional
+  optional .k8s.io.apimachinery.pkg.runtime.RawExtension oldObject = 10;
+
+  // dryRun indicates that modifications will definitely not be persisted for this request.
+  // Defaults to false.
+  // +optional
+  optional bool dryRun = 11;
+
+  // options is the operation option structure of the operation being performed.
+  // e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
+  // different than the options the caller provided. e.g. for a patch request the performed
+  // Operation might be a CREATE, in which case the Options will a
+  // `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
+  // +optional
+  optional .k8s.io.apimachinery.pkg.runtime.RawExtension options = 12;
+}
+
+// AdmissionResponse describes an admission response.
+message AdmissionResponse {
+  // uid is an identifier for the individual request/response.
+  // This should be copied over from the corresponding AdmissionRequest.
+  optional string uid = 1;
+
+  // allowed indicates whether or not the admission request was permitted.
+  optional bool allowed = 2;
+
+  // status is the result contains extra details into why an admission request was denied.
+  // This field IS NOT consulted in any way if "Allowed" is "true".
+  // +optional
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.Status status = 3;
+
+  // patch is the patch body. Currently we only support "JSONPatch" which implements RFC 6902.
+  // +optional
+  optional bytes patch = 4;
+
+  // patchType is the type of Patch. Currently we only allow "JSONPatch".
+  // +optional
+  optional string patchType = 5;
+
+  // auditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
+  // MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with
+  // admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by
+  // the admission webhook to add additional context to the audit log for this request.
+  // +optional
+  map<string, string> auditAnnotations = 6;
+
+  // warnings is a list of warning messages to return to the requesting API client.
+  // Warning messages describe a problem the client making the API request should correct or be aware of.
+  // Limit warnings to 120 characters if possible.
+  // Warnings over 256 characters and large numbers of warnings may be truncated.
+  // +optional
+  // +listType=atomic
+  repeated string warnings = 7;
+}
+
+// AdmissionReview describes an admission review request/response.
+message AdmissionReview {
+  // request describes the attributes for the admission request.
+  // +optional
+  optional AdmissionRequest request = 1;
+
+  // response describes the attributes for the admission response.
+  // +optional
+  optional AdmissionResponse response = 2;
+}
+
@@ -0,0 +1,28 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*AdmissionRequest) ProtoMessage() {}
+
+func (*AdmissionResponse) ProtoMessage() {}
+
+func (*AdmissionReview) ProtoMessage() {}
@@ -0,0 +1,53 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name for this API.
+const GroupName = "admission.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+var (
+	// SchemeBuilder points to a list of functions added to Scheme.
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	// AddToScheme is a common registration function for mapping packaged scoped group & version keys to a scheme.
+	AddToScheme = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&AdmissionReview{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
@@ -0,0 +1,175 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	authenticationv1 "k8s.io/api/authentication/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +k8s:prerelease-lifecycle-gen:introduced=1.9
+// +k8s:prerelease-lifecycle-gen:deprecated=1.19
+// This API is never server served.  It is used for outbound requests from apiservers.  This will ensure it never gets served accidentally
+// and having the generator against this group will protect future APIs which may be served.
+// +k8s:prerelease-lifecycle-gen:replacement=admission.k8s.io,v1,AdmissionReview
+
+// AdmissionReview describes an admission review request/response.
+type AdmissionReview struct {
+	metav1.TypeMeta `json:",inline"`
+	// request describes the attributes for the admission request.
+	// +optional
+	Request *AdmissionRequest `json:"request,omitempty" protobuf:"bytes,1,opt,name=request"`
+	// response describes the attributes for the admission response.
+	// +optional
+	Response *AdmissionResponse `json:"response,omitempty" protobuf:"bytes,2,opt,name=response"`
+}
+
+// AdmissionRequest describes the admission.Attributes for the admission request.
+type AdmissionRequest struct {
+	// uid is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
+	// otherwise identical (parallel requests, requests when earlier requests did not modify etc)
+	// The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
+	// It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
+	UID types.UID `json:"uid" protobuf:"bytes,1,opt,name=uid"`
+	// kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)
+	Kind metav1.GroupVersionKind `json:"kind" protobuf:"bytes,2,opt,name=kind"`
+	// resource is the fully-qualified resource being requested (for example, v1.pods)
+	Resource metav1.GroupVersionResource `json:"resource" protobuf:"bytes,3,opt,name=resource"`
+	// subResource is the subresource being requested, if any (for example, "status" or "scale")
+	// +optional
+	SubResource string `json:"subResource,omitempty" protobuf:"bytes,4,opt,name=subResource"`
+
+	// requestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
+	// If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
+	//
+	// For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
+	// `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
+	// an API request to apps/v1beta1 deployments would be converted and sent to the webhook
+	// with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
+	// and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
+	//
+	// See documentation for the "matchPolicy" field in the webhook configuration type for more details.
+	// +optional
+	RequestKind *metav1.GroupVersionKind `json:"requestKind,omitempty" protobuf:"bytes,13,opt,name=requestKind"`
+	// requestResource is the fully-qualified resource of the original API request (for example, v1.pods).
+	// If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
+	//
+	// For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
+	// `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
+	// an API request to apps/v1beta1 deployments would be converted and sent to the webhook
+	// with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
+	// and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
+	//
+	// See documentation for the "matchPolicy" field in the webhook configuration type.
+	// +optional
+	RequestResource *metav1.GroupVersionResource `json:"requestResource,omitempty" protobuf:"bytes,14,opt,name=requestResource"`
+	// requestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
+	// If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
+	// See documentation for the "matchPolicy" field in the webhook configuration type.
+	// +optional
+	RequestSubResource string `json:"requestSubResource,omitempty" protobuf:"bytes,15,opt,name=requestSubResource"`
+
+	// name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
+	// rely on the server to generate the name.  If that is the case, this field will contain an empty string.
+	// +optional
+	Name string `json:"name,omitempty" protobuf:"bytes,5,opt,name=name"`
+	// namespace is the namespace associated with the request (if any).
+	// +optional
+	Namespace string `json:"namespace,omitempty" protobuf:"bytes,6,opt,name=namespace"`
+	// operation is the operation being performed. This may be different than the operation
+	// requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
+	Operation Operation `json:"operation" protobuf:"bytes,7,opt,name=operation"`
+	// userInfo is information about the requesting user
+	UserInfo authenticationv1.UserInfo `json:"userInfo" protobuf:"bytes,8,opt,name=userInfo"`
+	// object is the object from the incoming request.
+	// +optional
+	Object runtime.RawExtension `json:"object,omitempty" protobuf:"bytes,9,opt,name=object"`
+	// oldObject is the existing object. Only populated for DELETE and UPDATE requests.
+	// +optional
+	OldObject runtime.RawExtension `json:"oldObject,omitempty" protobuf:"bytes,10,opt,name=oldObject"`
+	// dryRun indicates that modifications will definitely not be persisted for this request.
+	// Defaults to false.
+	// +optional
+	DryRun *bool `json:"dryRun,omitempty" protobuf:"varint,11,opt,name=dryRun"`
+	// options is the operation option structure of the operation being performed.
+	// e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
+	// different than the options the caller provided. e.g. for a patch request the performed
+	// Operation might be a CREATE, in which case the Options will a
+	// `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
+	// +optional
+	Options runtime.RawExtension `json:"options,omitempty" protobuf:"bytes,12,opt,name=options"`
+}
+
+// AdmissionResponse describes an admission response.
+type AdmissionResponse struct {
+	// uid is an identifier for the individual request/response.
+	// This should be copied over from the corresponding AdmissionRequest.
+	UID types.UID `json:"uid" protobuf:"bytes,1,opt,name=uid"`
+
+	// allowed indicates whether or not the admission request was permitted.
+	Allowed bool `json:"allowed" protobuf:"varint,2,opt,name=allowed"`
+
+	// status is the result contains extra details into why an admission request was denied.
+	// This field IS NOT consulted in any way if "Allowed" is "true".
+	// +optional
+	Result *metav1.Status `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+
+	// patch is the patch body. Currently we only support "JSONPatch" which implements RFC 6902.
+	// +optional
+	Patch []byte `json:"patch,omitempty" protobuf:"bytes,4,opt,name=patch"`
+
+	// patchType is the type of Patch. Currently we only allow "JSONPatch".
+	// +optional
+	PatchType *PatchType `json:"patchType,omitempty" protobuf:"bytes,5,opt,name=patchType"`
+
+	// auditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
+	// MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with
+	// admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by
+	// the admission webhook to add additional context to the audit log for this request.
+	// +optional
+	AuditAnnotations map[string]string `json:"auditAnnotations,omitempty" protobuf:"bytes,6,opt,name=auditAnnotations"`
+
+	// warnings is a list of warning messages to return to the requesting API client.
+	// Warning messages describe a problem the client making the API request should correct or be aware of.
+	// Limit warnings to 120 characters if possible.
+	// Warnings over 256 characters and large numbers of warnings may be truncated.
+	// +optional
+	// +listType=atomic
+	Warnings []string `json:"warnings,omitempty" protobuf:"bytes,7,rep,name=warnings"`
+}
+
+// PatchType is the type of patch being used to represent the mutated object
+type PatchType string
+
+// PatchType constants.
+const (
+	PatchTypeJSONPatch PatchType = "JSONPatch"
+)
+
+// Operation is the type of resource operation being checked for admission control
+type Operation string
+
+// Operation constants
+const (
+	Create  Operation = "CREATE"
+	Update  Operation = "UPDATE"
+	Delete  Operation = "DELETE"
+	Connect Operation = "CONNECT"
+)
@@ -0,0 +1,78 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-codegen.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE. DO NOT EDIT.
+var map_AdmissionRequest = map[string]string{
+	"":                   "AdmissionRequest describes the admission.Attributes for the admission request.",
+	"uid":                "uid is an identifier for the individual request/response. It allows us to distinguish instances of requests which are otherwise identical (parallel requests, requests when earlier requests did not modify etc) The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.",
+	"kind":               "kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)",
+	"resource":           "resource is the fully-qualified resource being requested (for example, v1.pods)",
+	"subResource":        "subResource is the subresource being requested, if any (for example, \"status\" or \"scale\")",
+	"requestKind":        "requestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). If this is specified and differs from the value in \"kind\", an equivalent match and conversion was performed.\n\nFor example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]` and `matchPolicy: Equivalent`, an API request to apps/v1beta1 deployments would be converted and sent to the webhook with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}` (matching the rule the webhook registered for), and `requestKind: {group:\"apps\", version:\"v1beta1\", kind:\"Deployment\"}` (indicating the kind of the original API request).\n\nSee documentation for the \"matchPolicy\" field in the webhook configuration type for more details.",
+	"requestResource":    "requestResource is the fully-qualified resource of the original API request (for example, v1.pods). If this is specified and differs from the value in \"resource\", an equivalent match and conversion was performed.\n\nFor example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]` and `matchPolicy: Equivalent`, an API request to apps/v1beta1 deployments would be converted and sent to the webhook with `resource: {group:\"apps\", version:\"v1\", resource:\"deployments\"}` (matching the resource the webhook registered for), and `requestResource: {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` (indicating the resource of the original API request).\n\nSee documentation for the \"matchPolicy\" field in the webhook configuration type.",
+	"requestSubResource": "requestSubResource is the name of the subresource of the original API request, if any (for example, \"status\" or \"scale\") If this is specified and differs from the value in \"subResource\", an equivalent match and conversion was performed. See documentation for the \"matchPolicy\" field in the webhook configuration type.",
+	"name":               "name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and rely on the server to generate the name.  If that is the case, this field will contain an empty string.",
+	"namespace":          "namespace is the namespace associated with the request (if any).",
+	"operation":          "operation is the operation being performed. This may be different than the operation requested. e.g. a patch can result in either a CREATE or UPDATE Operation.",
+	"userInfo":           "userInfo is information about the requesting user",
+	"object":             "object is the object from the incoming request.",
+	"oldObject":          "oldObject is the existing object. Only populated for DELETE and UPDATE requests.",
+	"dryRun":             "dryRun indicates that modifications will definitely not be persisted for this request. Defaults to false.",
+	"options":            "options is the operation option structure of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be different than the options the caller provided. e.g. for a patch request the performed Operation might be a CREATE, in which case the Options will a `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.",
+}
+
+func (AdmissionRequest) SwaggerDoc() map[string]string {
+	return map_AdmissionRequest
+}
+
+var map_AdmissionResponse = map[string]string{
+	"":                 "AdmissionResponse describes an admission response.",
+	"uid":              "uid is an identifier for the individual request/response. This should be copied over from the corresponding AdmissionRequest.",
+	"allowed":          "allowed indicates whether or not the admission request was permitted.",
+	"status":           "status is the result contains extra details into why an admission request was denied. This field IS NOT consulted in any way if \"Allowed\" is \"true\".",
+	"patch":            "patch is the patch body. Currently we only support \"JSONPatch\" which implements RFC 6902.",
+	"patchType":        "patchType is the type of Patch. Currently we only allow \"JSONPatch\".",
+	"auditAnnotations": "auditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted). MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by the admission webhook to add additional context to the audit log for this request.",
+	"warnings":         "warnings is a list of warning messages to return to the requesting API client. Warning messages describe a problem the client making the API request should correct or be aware of. Limit warnings to 120 characters if possible. Warnings over 256 characters and large numbers of warnings may be truncated.",
+}
+
+func (AdmissionResponse) SwaggerDoc() map[string]string {
+	return map_AdmissionResponse
+}
+
+var map_AdmissionReview = map[string]string{
+	"":         "AdmissionReview describes an admission review request/response.",
+	"request":  "request describes the attributes for the admission request.",
+	"response": "response describes the attributes for the admission response.",
+}
+
+func (AdmissionReview) SwaggerDoc() map[string]string {
+	return map_AdmissionReview
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
@@ -0,0 +1,142 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AdmissionRequest) DeepCopyInto(out *AdmissionRequest) {
+	*out = *in
+	out.Kind = in.Kind
+	out.Resource = in.Resource
+	if in.RequestKind != nil {
+		in, out := &in.RequestKind, &out.RequestKind
+		*out = new(v1.GroupVersionKind)
+		**out = **in
+	}
+	if in.RequestResource != nil {
+		in, out := &in.RequestResource, &out.RequestResource
+		*out = new(v1.GroupVersionResource)
+		**out = **in
+	}
+	in.UserInfo.DeepCopyInto(&out.UserInfo)
+	in.Object.DeepCopyInto(&out.Object)
+	in.OldObject.DeepCopyInto(&out.OldObject)
+	if in.DryRun != nil {
+		in, out := &in.DryRun, &out.DryRun
+		*out = new(bool)
+		**out = **in
+	}
+	in.Options.DeepCopyInto(&out.Options)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionRequest.
+func (in *AdmissionRequest) DeepCopy() *AdmissionRequest {
+	if in == nil {
+		return nil
+	}
+	out := new(AdmissionRequest)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AdmissionResponse) DeepCopyInto(out *AdmissionResponse) {
+	*out = *in
+	if in.Result != nil {
+		in, out := &in.Result, &out.Result
+		*out = new(v1.Status)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Patch != nil {
+		in, out := &in.Patch, &out.Patch
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.PatchType != nil {
+		in, out := &in.PatchType, &out.PatchType
+		*out = new(PatchType)
+		**out = **in
+	}
+	if in.AuditAnnotations != nil {
+		in, out := &in.AuditAnnotations, &out.AuditAnnotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.Warnings != nil {
+		in, out := &in.Warnings, &out.Warnings
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionResponse.
+func (in *AdmissionResponse) DeepCopy() *AdmissionResponse {
+	if in == nil {
+		return nil
+	}
+	out := new(AdmissionResponse)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AdmissionReview) DeepCopyInto(out *AdmissionReview) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	if in.Request != nil {
+		in, out := &in.Request, &out.Request
+		*out = new(AdmissionRequest)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Response != nil {
+		in, out := &in.Response, &out.Response
+		*out = new(AdmissionResponse)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionReview.
+func (in *AdmissionReview) DeepCopy() *AdmissionReview {
+	if in == nil {
+		return nil
+	}
+	out := new(AdmissionReview)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *AdmissionReview) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
@@ -0,0 +1,37 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AdmissionRequest) OpenAPIModelName() string {
+	return "io.k8s.api.admission.v1beta1.AdmissionRequest"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AdmissionResponse) OpenAPIModelName() string {
+	return "io.k8s.api.admission.v1beta1.AdmissionResponse"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AdmissionReview) OpenAPIModelName() string {
+	return "io.k8s.api.admission.v1beta1.AdmissionReview"
+}
@@ -0,0 +1,50 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by prerelease-lifecycle-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// APILifecycleIntroduced is an autogenerated function, returning the release in which the API struct was introduced as int versions of major and minor for comparison.
+// It is controlled by "k8s:prerelease-lifecycle-gen:introduced" tags in types.go.
+func (in *AdmissionReview) APILifecycleIntroduced() (major, minor int) {
+	return 1, 9
+}
+
+// APILifecycleDeprecated is an autogenerated function, returning the release in which the API struct was or will be deprecated as int versions of major and minor for comparison.
+// It is controlled by "k8s:prerelease-lifecycle-gen:deprecated" tags in types.go or  "k8s:prerelease-lifecycle-gen:introduced" plus three minor.
+func (in *AdmissionReview) APILifecycleDeprecated() (major, minor int) {
+	return 1, 19
+}
+
+// APILifecycleReplacement is an autogenerated function, returning the group, version, and kind that should be used instead of this deprecated type.
+// It is controlled by "k8s:prerelease-lifecycle-gen:replacement=<group>,<version>,<kind>" tags in types.go.
+func (in *AdmissionReview) APILifecycleReplacement() schema.GroupVersionKind {
+	return schema.GroupVersionKind{Group: "admission.k8s.io", Version: "v1", Kind: "AdmissionReview"}
+}
+
+// APILifecycleRemoved is an autogenerated function, returning the release in which the API is no longer served as int versions of major and minor for comparison.
+// It is controlled by "k8s:prerelease-lifecycle-gen:removed" tags in types.go or  "k8s:prerelease-lifecycle-gen:deprecated" plus three minor.
+func (in *AdmissionReview) APILifecycleRemoved() (major, minor int) {
+	return 1, 22
+}
@@ -0,0 +1,24 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package
+// +k8s:protobuf-gen=package
+// +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.api.imagepolicy.v1alpha1
+
+// +groupName=imagepolicy.k8s.io
+
+package v1alpha1
@@ -0,0 +1,89 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = "proto2";
+
+package k8s.io.api.imagepolicy.v1alpha1;
+
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "k8s.io/api/imagepolicy/v1alpha1";
+
+// ImageReview checks if the set of images in a pod are allowed.
+message ImageReview {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+  // +optional
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Spec holds information about the pod being evaluated
+  optional ImageReviewSpec spec = 2;
+
+  // Status is filled in by the backend and indicates whether the pod should be allowed.
+  // +optional
+  optional ImageReviewStatus status = 3;
+}
+
+// ImageReviewContainerSpec is a description of a container within the pod creation request.
+message ImageReviewContainerSpec {
+  // This can be in the form image:tag or image@SHA:012345679abcdef.
+  // +optional
+  optional string image = 1;
+}
+
+// ImageReviewSpec is a description of the pod creation request.
+message ImageReviewSpec {
+  // Containers is a list of a subset of the information in each container of the Pod being created.
+  // +optional
+  // +listType=atomic
+  repeated ImageReviewContainerSpec containers = 1;
+
+  // Annotations is a list of key-value pairs extracted from the Pod's annotations.
+  // It only includes keys which match the pattern `*.image-policy.k8s.io/*`.
+  // It is up to each webhook backend to determine how to interpret these annotations, if at all.
+  // +optional
+  map<string, string> annotations = 2;
+
+  // Namespace is the namespace the pod is being created in.
+  // +optional
+  optional string namespace = 3;
+}
+
+// ImageReviewStatus is the result of the review for the pod creation request.
+message ImageReviewStatus {
+  // Allowed indicates that all images were allowed to be run.
+  optional bool allowed = 1;
+
+  // Reason should be empty unless Allowed is false in which case it
+  // may contain a short description of what is wrong.  Kubernetes
+  // may truncate excessively long errors when displaying to the user.
+  // +optional
+  optional string reason = 2;
+
+  // AuditAnnotations will be added to the attributes object of the
+  // admission controller request using 'AddAnnotation'.  The keys should
+  // be prefix-less (i.e., the admission controller will add an
+  // appropriate prefix).
+  // +optional
+  map<string, string> auditAnnotations = 3;
+}
+
@@ -0,0 +1,30 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1alpha1
+
+func (*ImageReview) ProtoMessage() {}
+
+func (*ImageReviewContainerSpec) ProtoMessage() {}
+
+func (*ImageReviewSpec) ProtoMessage() {}
+
+func (*ImageReviewStatus) ProtoMessage() {}
@@ -0,0 +1,51 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name for this API.
+const GroupName = "imagepolicy.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&ImageReview{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
@@ -0,0 +1,83 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +genclient:noVerbs
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ImageReview checks if the set of images in a pod are allowed.
+type ImageReview struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec holds information about the pod being evaluated
+	Spec ImageReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
+
+	// Status is filled in by the backend and indicates whether the pod should be allowed.
+	// +optional
+	Status ImageReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// ImageReviewSpec is a description of the pod creation request.
+type ImageReviewSpec struct {
+	// Containers is a list of a subset of the information in each container of the Pod being created.
+	// +optional
+	// +listType=atomic
+	Containers []ImageReviewContainerSpec `json:"containers,omitempty" protobuf:"bytes,1,rep,name=containers"`
+	// Annotations is a list of key-value pairs extracted from the Pod's annotations.
+	// It only includes keys which match the pattern `*.image-policy.k8s.io/*`.
+	// It is up to each webhook backend to determine how to interpret these annotations, if at all.
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty" protobuf:"bytes,2,rep,name=annotations"`
+	// Namespace is the namespace the pod is being created in.
+	// +optional
+	Namespace string `json:"namespace,omitempty" protobuf:"bytes,3,opt,name=namespace"`
+}
+
+// ImageReviewContainerSpec is a description of a container within the pod creation request.
+type ImageReviewContainerSpec struct {
+	// This can be in the form image:tag or image@SHA:012345679abcdef.
+	// +optional
+	Image string `json:"image,omitempty" protobuf:"bytes,1,opt,name=image"`
+	// In future, we may add command line overrides, exec health check command lines, and so on.
+}
+
+// ImageReviewStatus is the result of the review for the pod creation request.
+type ImageReviewStatus struct {
+	// Allowed indicates that all images were allowed to be run.
+	Allowed bool `json:"allowed" protobuf:"varint,1,opt,name=allowed"`
+	// Reason should be empty unless Allowed is false in which case it
+	// may contain a short description of what is wrong.  Kubernetes
+	// may truncate excessively long errors when displaying to the user.
+	// +optional
+	Reason string `json:"reason,omitempty" protobuf:"bytes,2,opt,name=reason"`
+	// AuditAnnotations will be added to the attributes object of the
+	// admission controller request using 'AddAnnotation'.  The keys should
+	// be prefix-less (i.e., the admission controller will add an
+	// appropriate prefix).
+	// +optional
+	AuditAnnotations map[string]string `json:"auditAnnotations,omitempty" protobuf:"bytes,3,rep,name=auditAnnotations"`
+}
@@ -0,0 +1,72 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-codegen.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE. DO NOT EDIT.
+var map_ImageReview = map[string]string{
+	"":         "ImageReview checks if the set of images in a pod are allowed.",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "Spec holds information about the pod being evaluated",
+	"status":   "Status is filled in by the backend and indicates whether the pod should be allowed.",
+}
+
+func (ImageReview) SwaggerDoc() map[string]string {
+	return map_ImageReview
+}
+
+var map_ImageReviewContainerSpec = map[string]string{
+	"":      "ImageReviewContainerSpec is a description of a container within the pod creation request.",
+	"image": "This can be in the form image:tag or image@SHA:012345679abcdef.",
+}
+
+func (ImageReviewContainerSpec) SwaggerDoc() map[string]string {
+	return map_ImageReviewContainerSpec
+}
+
+var map_ImageReviewSpec = map[string]string{
+	"":            "ImageReviewSpec is a description of the pod creation request.",
+	"containers":  "Containers is a list of a subset of the information in each container of the Pod being created.",
+	"annotations": "Annotations is a list of key-value pairs extracted from the Pod's annotations. It only includes keys which match the pattern `*.image-policy.k8s.io/*`. It is up to each webhook backend to determine how to interpret these annotations, if at all.",
+	"namespace":   "Namespace is the namespace the pod is being created in.",
+}
+
+func (ImageReviewSpec) SwaggerDoc() map[string]string {
+	return map_ImageReviewSpec
+}
+
+var map_ImageReviewStatus = map[string]string{
+	"":                 "ImageReviewStatus is the result of the review for the pod creation request.",
+	"allowed":          "Allowed indicates that all images were allowed to be run.",
+	"reason":           "Reason should be empty unless Allowed is false in which case it may contain a short description of what is wrong.  Kubernetes may truncate excessively long errors when displaying to the user.",
+	"auditAnnotations": "AuditAnnotations will be added to the attributes object of the admission controller request using 'AddAnnotation'.  The keys should be prefix-less (i.e., the admission controller will add an appropriate prefix).",
+}
+
+func (ImageReviewStatus) SwaggerDoc() map[string]string {
+	return map_ImageReviewStatus
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
@@ -0,0 +1,121 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageReview) DeepCopyInto(out *ImageReview) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageReview.
+func (in *ImageReview) DeepCopy() *ImageReview {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageReview)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ImageReview) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageReviewContainerSpec) DeepCopyInto(out *ImageReviewContainerSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageReviewContainerSpec.
+func (in *ImageReviewContainerSpec) DeepCopy() *ImageReviewContainerSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageReviewContainerSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageReviewSpec) DeepCopyInto(out *ImageReviewSpec) {
+	*out = *in
+	if in.Containers != nil {
+		in, out := &in.Containers, &out.Containers
+		*out = make([]ImageReviewContainerSpec, len(*in))
+		copy(*out, *in)
+	}
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageReviewSpec.
+func (in *ImageReviewSpec) DeepCopy() *ImageReviewSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageReviewSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageReviewStatus) DeepCopyInto(out *ImageReviewStatus) {
+	*out = *in
+	if in.AuditAnnotations != nil {
+		in, out := &in.AuditAnnotations, &out.AuditAnnotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageReviewStatus.
+func (in *ImageReviewStatus) DeepCopy() *ImageReviewStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageReviewStatus)
+	in.DeepCopyInto(out)
+	return out
+}
@@ -0,0 +1,42 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ImageReview) OpenAPIModelName() string {
+	return "io.k8s.api.imagepolicy.v1alpha1.ImageReview"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ImageReviewContainerSpec) OpenAPIModelName() string {
+	return "io.k8s.api.imagepolicy.v1alpha1.ImageReviewContainerSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ImageReviewSpec) OpenAPIModelName() string {
+	return "io.k8s.api.imagepolicy.v1alpha1.ImageReviewSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ImageReviewStatus) OpenAPIModelName() string {
+	return "io.k8s.api.imagepolicy.v1alpha1.ImageReviewStatus"
+}
@@ -0,0 +1,38 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package internalversion
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// SetListOptionsDefaults sets defaults on the provided ListOptions if applicable.
+//
+// TODO(#115478): once the watch-list fg is always on we register this function in the scheme (via AddTypeDefaultingFunc).
+// TODO(#115478): when the function is registered in the scheme remove all callers of this method.
+func SetListOptionsDefaults(obj *ListOptions, isWatchListFeatureEnabled bool) {
+	if !isWatchListFeatureEnabled {
+		return
+	}
+	if obj.SendInitialEvents != nil || len(obj.ResourceVersionMatch) != 0 {
+		return
+	}
+	legacy := obj.ResourceVersion == "" || obj.ResourceVersion == "0"
+	if obj.Watch && legacy {
+		turnOnInitialEvents := true
+		obj.SendInitialEvents = &turnOnInitialEvents
+		obj.ResourceVersionMatch = metav1.ResourceVersionMatchNotOlderThan
+	}
+}
@@ -0,0 +1,20 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package
+// +k8s:conversion-gen=k8s.io/apimachinery/pkg/apis/meta/v1
+
+package internalversion
@@ -0,0 +1,88 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package internalversion
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	metav1beta1 "k8s.io/apimachinery/pkg/apis/meta/v1beta1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name for this API.
+const GroupName = "meta.k8s.io"
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
+
+// Kind takes an unqualified kind and returns a Group qualified GroupKind
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// addToGroupVersion registers common meta types into schemas.
+func addToGroupVersion(scheme *runtime.Scheme) error {
+	if err := scheme.AddIgnoredConversionType(&metav1.TypeMeta{}, &metav1.TypeMeta{}); err != nil {
+		return err
+	}
+	// ListOptions is the only options struct which needs conversion (it exposes labels and fields
+	// as selectors for convenience). The other types have only a single representation today.
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&ListOptions{},
+		&metav1.GetOptions{},
+		&metav1.DeleteOptions{},
+		&metav1.CreateOptions{},
+		&metav1.UpdateOptions{},
+	)
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&metav1.Table{},
+		&metav1.TableOptions{},
+		&metav1beta1.PartialObjectMetadata{},
+		&metav1beta1.PartialObjectMetadataList{},
+	)
+	if err := metav1beta1.AddMetaToScheme(scheme); err != nil {
+		return err
+	}
+	if err := metav1.AddMetaToScheme(scheme); err != nil {
+		return err
+	}
+	// Allow delete options to be decoded across all version in this scheme (we may want to be more clever than this)
+	scheme.AddUnversionedTypes(SchemeGroupVersion,
+		&metav1.DeleteOptions{},
+		&metav1.CreateOptions{},
+		&metav1.UpdateOptions{})
+
+	metav1.AddToGroupVersion(scheme, metav1.SchemeGroupVersion)
+	if err := metav1beta1.RegisterConversions(scheme); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Unlike other API groups, meta internal knows about all meta external versions, but keeps
+// the logic for conversion private.
+func init() {
+	localSchemeBuilder.Register(addToGroupVersion)
+}
@@ -0,0 +1,17 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package scheme
@@ -0,0 +1,39 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package scheme
+
+import (
+	"k8s.io/apimachinery/pkg/apis/meta/internalversion"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+)
+
+// Scheme is the registry for any type that adheres to the meta API spec.
+var Scheme = runtime.NewScheme()
+
+// Codecs provides access to encoding and decoding for the scheme.
+var Codecs = serializer.NewCodecFactory(Scheme)
+
+// ParameterCodec handles versioning of objects that are converted to query parameters.
+var ParameterCodec = runtime.NewParameterCodec(Scheme)
+
+// Unlike other API groups, meta internal knows about all meta external versions, but keeps
+// the logic for conversion private.
+func init() {
+	utilruntime.Must(internalversion.AddToScheme(Scheme))
+}
@@ -0,0 +1,103 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package internalversion
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ListOptions is the query options to a standard REST list call.
+type ListOptions struct {
+	metav1.TypeMeta
+
+	// A selector based on labels
+	LabelSelector labels.Selector
+	// A selector based on fields
+	FieldSelector fields.Selector
+	// If true, watch for changes to this list
+	Watch bool
+	// allowWatchBookmarks requests watch events with type "BOOKMARK".
+	// Servers that do not implement bookmarks may ignore this flag and
+	// bookmarks are sent at the server's discretion. Clients should not
+	// assume bookmarks are returned at any specific interval, nor may they
+	// assume the server will send any BOOKMARK event during a session.
+	// If this is not a watch, this field is ignored.
+	AllowWatchBookmarks bool
+	// resourceVersion sets a constraint on what resource versions a request may be served from.
+	// See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for
+	// details.
+	ResourceVersion string
+	// resourceVersionMatch determines how resourceVersion is applied to list calls.
+	// It is highly recommended that resourceVersionMatch be set for list calls where
+	// resourceVersion is set.
+	// See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for
+	// details.
+	ResourceVersionMatch metav1.ResourceVersionMatch
+
+	// Timeout for the list/watch call.
+	TimeoutSeconds *int64
+	// Limit specifies the maximum number of results to return from the server. The server may
+	// not support this field on all resource types, but if it does and more results remain it
+	// will set the continue field on the returned list object.
+	Limit int64
+	// Continue is a token returned by the server that lets a client retrieve chunks of results
+	// from the server by specifying limit. The server may reject requests for continuation tokens
+	// it does not recognize and will return a 410 error if the token can no longer be used because
+	// it has expired.
+	Continue string
+
+	// `sendInitialEvents=true` may be set together with `watch=true`.
+	// In that case, the watch stream will begin with synthetic events to
+	// produce the current state of objects in the collection. Once all such
+	// events have been sent, a synthetic "Bookmark" event  will be sent.
+	// The bookmark will report the ResourceVersion (RV) corresponding to the
+	// set of objects, and be marked with `"k8s.io/initial-events-end": "true"` annotation.
+	// Afterwards, the watch stream will proceed as usual, sending watch events
+	// corresponding to changes (subsequent to the RV) to objects watched.
+	//
+	// When `sendInitialEvents` option is set, we require `resourceVersionMatch`
+	// option to also be set. The semantic of the watch request is as following:
+	// - `resourceVersionMatch` = NotOlderThan
+	//   is interpreted as "data at least as new as the provided `resourceVersion`"
+	//   and the bookmark event is send when the state is synced
+	//   to a `resourceVersion` at least as fresh as the one provided by the ListOptions.
+	//   If `resourceVersion` is unset, this is interpreted as "consistent read" and the
+	//   bookmark event is send when the state is synced at least to the moment
+	//   when request started being processed.
+	// - `resourceVersionMatch` set to any other value or unset
+	//   Invalid error is returned.
+	//
+	// Defaults to true if `resourceVersion=""` or `resourceVersion="0"` (for backward
+	// compatibility reasons) and to false otherwise.
+	SendInitialEvents *bool
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// List holds a list of objects, which may not be known by the server.
+type List struct {
+	metav1.TypeMeta
+	// +optional
+	metav1.ListMeta
+
+	Items []runtime.Object
+}
@@ -0,0 +1,76 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validation
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/apis/meta/internalversion"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+// ValidateListOptions returns all validation errors found while validating the ListOptions.
+func ValidateListOptions(options *internalversion.ListOptions, isWatchListFeatureEnabled bool) field.ErrorList {
+	if options.Watch {
+		return validateWatchOptions(options, isWatchListFeatureEnabled)
+	}
+	allErrs := field.ErrorList{}
+	if match := options.ResourceVersionMatch; len(match) > 0 {
+		if len(options.ResourceVersion) == 0 {
+			allErrs = append(allErrs, field.Forbidden(field.NewPath("resourceVersionMatch"), "resourceVersionMatch is forbidden unless resourceVersion is provided"))
+		}
+		if len(options.Continue) > 0 {
+			allErrs = append(allErrs, field.Forbidden(field.NewPath("resourceVersionMatch"), "resourceVersionMatch is forbidden when continue is provided"))
+		}
+		if match != metav1.ResourceVersionMatchExact && match != metav1.ResourceVersionMatchNotOlderThan {
+			allErrs = append(allErrs, field.NotSupported(field.NewPath("resourceVersionMatch"), match, []string{string(metav1.ResourceVersionMatchExact), string(metav1.ResourceVersionMatchNotOlderThan), ""}))
+		}
+		if match == metav1.ResourceVersionMatchExact && options.ResourceVersion == "0" {
+			allErrs = append(allErrs, field.Forbidden(field.NewPath("resourceVersionMatch"), "resourceVersionMatch \"exact\" is forbidden for resourceVersion \"0\""))
+		}
+	}
+	if options.SendInitialEvents != nil {
+		allErrs = append(allErrs, field.Forbidden(field.NewPath("sendInitialEvents"), "sendInitialEvents is forbidden for list"))
+	}
+	return allErrs
+}
+
+func validateWatchOptions(options *internalversion.ListOptions, isWatchListFeatureEnabled bool) field.ErrorList {
+	allErrs := field.ErrorList{}
+	match := options.ResourceVersionMatch
+	if options.SendInitialEvents != nil {
+		if match != metav1.ResourceVersionMatchNotOlderThan {
+			allErrs = append(allErrs, field.Forbidden(field.NewPath("resourceVersionMatch"), fmt.Sprintf("sendInitialEvents requires setting resourceVersionMatch to %s", metav1.ResourceVersionMatchNotOlderThan)))
+		}
+		if !isWatchListFeatureEnabled {
+			allErrs = append(allErrs, field.Forbidden(field.NewPath("sendInitialEvents"), "sendInitialEvents is forbidden for watch unless the WatchList feature gate is enabled"))
+		}
+	}
+	if len(match) > 0 {
+		if options.SendInitialEvents == nil {
+			allErrs = append(allErrs, field.Forbidden(field.NewPath("resourceVersionMatch"), "resourceVersionMatch is forbidden for watch unless sendInitialEvents is provided"))
+		}
+		if match != metav1.ResourceVersionMatchNotOlderThan {
+			allErrs = append(allErrs, field.NotSupported(field.NewPath("resourceVersionMatch"), match, []string{string(metav1.ResourceVersionMatchNotOlderThan)}))
+		}
+		if len(options.Continue) > 0 {
+			allErrs = append(allErrs, field.Forbidden(field.NewPath("resourceVersionMatch"), "resourceVersionMatch is forbidden when continue is provided"))
+		}
+	}
+	return allErrs
+}
@@ -0,0 +1,148 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by conversion-gen. DO NOT EDIT.
+
+package internalversion
+
+import (
+	unsafe "unsafe"
+
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	localSchemeBuilder.Register(RegisterConversions)
+}
+
+// RegisterConversions adds conversion functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterConversions(s *runtime.Scheme) error {
+	if err := s.AddGeneratedConversionFunc((*List)(nil), (*v1.List)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_internalversion_List_To_v1_List(a.(*List), b.(*v1.List), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*v1.List)(nil), (*List)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1_List_To_internalversion_List(a.(*v1.List), b.(*List), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*ListOptions)(nil), (*v1.ListOptions)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_internalversion_ListOptions_To_v1_ListOptions(a.(*ListOptions), b.(*v1.ListOptions), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*v1.ListOptions)(nil), (*ListOptions)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1_ListOptions_To_internalversion_ListOptions(a.(*v1.ListOptions), b.(*ListOptions), scope)
+	}); err != nil {
+		return err
+	}
+	return nil
+}
+
+func autoConvert_internalversion_List_To_v1_List(in *List, out *v1.List, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]runtime.RawExtension, len(*in))
+		for i := range *in {
+			if err := runtime.Convert_runtime_Object_To_runtime_RawExtension(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Items = nil
+	}
+	return nil
+}
+
+// Convert_internalversion_List_To_v1_List is an autogenerated conversion function.
+func Convert_internalversion_List_To_v1_List(in *List, out *v1.List, s conversion.Scope) error {
+	return autoConvert_internalversion_List_To_v1_List(in, out, s)
+}
+
+func autoConvert_v1_List_To_internalversion_List(in *v1.List, out *List, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]runtime.Object, len(*in))
+		for i := range *in {
+			if err := runtime.Convert_runtime_RawExtension_To_runtime_Object(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Items = nil
+	}
+	return nil
+}
+
+// Convert_v1_List_To_internalversion_List is an autogenerated conversion function.
+func Convert_v1_List_To_internalversion_List(in *v1.List, out *List, s conversion.Scope) error {
+	return autoConvert_v1_List_To_internalversion_List(in, out, s)
+}
+
+func autoConvert_internalversion_ListOptions_To_v1_ListOptions(in *ListOptions, out *v1.ListOptions, s conversion.Scope) error {
+	if err := v1.Convert_labels_Selector_To_string(&in.LabelSelector, &out.LabelSelector, s); err != nil {
+		return err
+	}
+	if err := v1.Convert_fields_Selector_To_string(&in.FieldSelector, &out.FieldSelector, s); err != nil {
+		return err
+	}
+	out.Watch = in.Watch
+	out.AllowWatchBookmarks = in.AllowWatchBookmarks
+	out.ResourceVersion = in.ResourceVersion
+	out.ResourceVersionMatch = v1.ResourceVersionMatch(in.ResourceVersionMatch)
+	out.TimeoutSeconds = (*int64)(unsafe.Pointer(in.TimeoutSeconds))
+	out.Limit = in.Limit
+	out.Continue = in.Continue
+	out.SendInitialEvents = (*bool)(unsafe.Pointer(in.SendInitialEvents))
+	return nil
+}
+
+// Convert_internalversion_ListOptions_To_v1_ListOptions is an autogenerated conversion function.
+func Convert_internalversion_ListOptions_To_v1_ListOptions(in *ListOptions, out *v1.ListOptions, s conversion.Scope) error {
+	return autoConvert_internalversion_ListOptions_To_v1_ListOptions(in, out, s)
+}
+
+func autoConvert_v1_ListOptions_To_internalversion_ListOptions(in *v1.ListOptions, out *ListOptions, s conversion.Scope) error {
+	if err := v1.Convert_string_To_labels_Selector(&in.LabelSelector, &out.LabelSelector, s); err != nil {
+		return err
+	}
+	if err := v1.Convert_string_To_fields_Selector(&in.FieldSelector, &out.FieldSelector, s); err != nil {
+		return err
+	}
+	out.Watch = in.Watch
+	out.AllowWatchBookmarks = in.AllowWatchBookmarks
+	out.ResourceVersion = in.ResourceVersion
+	out.ResourceVersionMatch = v1.ResourceVersionMatch(in.ResourceVersionMatch)
+	out.TimeoutSeconds = (*int64)(unsafe.Pointer(in.TimeoutSeconds))
+	out.Limit = in.Limit
+	out.Continue = in.Continue
+	out.SendInitialEvents = (*bool)(unsafe.Pointer(in.SendInitialEvents))
+	return nil
+}
+
+// Convert_v1_ListOptions_To_internalversion_ListOptions is an autogenerated conversion function.
+func Convert_v1_ListOptions_To_internalversion_ListOptions(in *v1.ListOptions, out *ListOptions, s conversion.Scope) error {
+	return autoConvert_v1_ListOptions_To_internalversion_ListOptions(in, out, s)
+}
@@ -0,0 +1,102 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package internalversion
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *List) DeepCopyInto(out *List) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]runtime.Object, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				(*out)[i] = (*in)[i].DeepCopyObject()
+			}
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new List.
+func (in *List) DeepCopy() *List {
+	if in == nil {
+		return nil
+	}
+	out := new(List)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *List) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ListOptions) DeepCopyInto(out *ListOptions) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	if in.LabelSelector != nil {
+		out.LabelSelector = in.LabelSelector.DeepCopySelector()
+	}
+	if in.FieldSelector != nil {
+		out.FieldSelector = in.FieldSelector.DeepCopySelector()
+	}
+	if in.TimeoutSeconds != nil {
+		in, out := &in.TimeoutSeconds, &out.TimeoutSeconds
+		*out = new(int64)
+		**out = **in
+	}
+	if in.SendInitialEvents != nil {
+		in, out := &in.SendInitialEvents, &out.SendInitialEvents
+		*out = new(bool)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ListOptions.
+func (in *ListOptions) DeepCopy() *ListOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(ListOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ListOptions) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
@@ -0,0 +1,129 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package unstructuredscheme
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/runtime/serializer/json"
+	"k8s.io/apimachinery/pkg/runtime/serializer/versioning"
+)
+
+var scheme = runtime.NewScheme()
+
+// NewUnstructuredNegotiatedSerializer returns a simple, negotiated serializer
+func NewUnstructuredNegotiatedSerializer() runtime.NegotiatedSerializer {
+	return unstructuredNegotiatedSerializer{
+		scheme:  scheme,
+		typer:   NewUnstructuredObjectTyper(),
+		creator: NewUnstructuredCreator(),
+	}
+}
+
+type unstructuredNegotiatedSerializer struct {
+	scheme  *runtime.Scheme
+	typer   runtime.ObjectTyper
+	creator runtime.ObjectCreater
+}
+
+func (s unstructuredNegotiatedSerializer) SupportedMediaTypes() []runtime.SerializerInfo {
+	return []runtime.SerializerInfo{
+		{
+			MediaType:        "application/json",
+			MediaTypeType:    "application",
+			MediaTypeSubType: "json",
+			EncodesAsText:    true,
+			Serializer:       json.NewSerializerWithOptions(json.DefaultMetaFactory, s.creator, s.typer, json.SerializerOptions{}),
+			PrettySerializer: json.NewSerializerWithOptions(json.DefaultMetaFactory, s.creator, s.typer, json.SerializerOptions{Pretty: true}),
+			StreamSerializer: &runtime.StreamSerializerInfo{
+				EncodesAsText: true,
+				Serializer:    json.NewSerializerWithOptions(json.DefaultMetaFactory, s.creator, s.typer, json.SerializerOptions{}),
+				Framer:        json.Framer,
+			},
+		},
+		{
+			MediaType:        "application/yaml",
+			MediaTypeType:    "application",
+			MediaTypeSubType: "yaml",
+			EncodesAsText:    true,
+			Serializer:       json.NewSerializerWithOptions(json.DefaultMetaFactory, s.creator, s.typer, json.SerializerOptions{Yaml: true}),
+		},
+	}
+}
+
+func (s unstructuredNegotiatedSerializer) EncoderForVersion(encoder runtime.Encoder, gv runtime.GroupVersioner) runtime.Encoder {
+	return versioning.NewDefaultingCodecForScheme(s.scheme, encoder, nil, gv, nil)
+}
+
+func (s unstructuredNegotiatedSerializer) DecoderToVersion(decoder runtime.Decoder, gv runtime.GroupVersioner) runtime.Decoder {
+	return versioning.NewDefaultingCodecForScheme(s.scheme, nil, decoder, nil, gv)
+}
+
+type unstructuredObjectTyper struct {
+}
+
+// NewUnstructuredObjectTyper returns an object typer that can deal with unstructured things
+func NewUnstructuredObjectTyper() runtime.ObjectTyper {
+	return unstructuredObjectTyper{}
+}
+
+func (t unstructuredObjectTyper) ObjectKinds(obj runtime.Object) ([]schema.GroupVersionKind, bool, error) {
+	// Delegate for things other than Unstructured.
+	if _, ok := obj.(runtime.Unstructured); !ok {
+		return nil, false, fmt.Errorf("cannot type %T", obj)
+	}
+	gvk := obj.GetObjectKind().GroupVersionKind()
+	if len(gvk.Kind) == 0 {
+		return nil, false, runtime.NewMissingKindErr("object has no kind field ")
+	}
+	if len(gvk.Version) == 0 {
+		return nil, false, runtime.NewMissingVersionErr("object has no apiVersion field")
+	}
+
+	return []schema.GroupVersionKind{obj.GetObjectKind().GroupVersionKind()}, false, nil
+}
+
+func (t unstructuredObjectTyper) Recognizes(gvk schema.GroupVersionKind) bool {
+	return true
+}
+
+type unstructuredCreator struct{}
+
+// NewUnstructuredCreator returns a simple object creator that always returns an unstructured
+func NewUnstructuredCreator() runtime.ObjectCreater {
+	return unstructuredCreator{}
+}
+
+func (c unstructuredCreator) New(kind schema.GroupVersionKind) (runtime.Object, error) {
+	ret := &unstructured.Unstructured{}
+	ret.SetGroupVersionKind(kind)
+	return ret, nil
+}
+
+type unstructuredDefaulter struct {
+}
+
+// NewUnstructuredDefaulter returns defaulter suitable for unstructured types that doesn't default anything
+func NewUnstructuredDefaulter() runtime.ObjectDefaulter {
+	return unstructuredDefaulter{}
+}
+
+func (d unstructuredDefaulter) Default(in runtime.Object) {
+}
@@ -0,0 +1,46 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"unsafe"
+
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/conversion"
+)
+
+// Convert_Slice_string_To_v1beta1_IncludeObjectPolicy allows converting a URL query parameter value
+func Convert_Slice_string_To_v1beta1_IncludeObjectPolicy(in *[]string, out *IncludeObjectPolicy, s conversion.Scope) error {
+	if len(*in) > 0 {
+		*out = IncludeObjectPolicy((*in)[0])
+	}
+	return nil
+}
+
+// Convert_v1beta1_PartialObjectMetadataList_To_v1_PartialObjectMetadataList allows converting PartialObjectMetadataList between versions
+func Convert_v1beta1_PartialObjectMetadataList_To_v1_PartialObjectMetadataList(in *PartialObjectMetadataList, out *v1.PartialObjectMetadataList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]v1.PartialObjectMetadata)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_v1_PartialObjectMetadataList_To_v1beta1_PartialObjectMetadataList allows converting PartialObjectMetadataList between versions
+func Convert_v1_PartialObjectMetadataList_To_v1beta1_PartialObjectMetadataList(in *v1.PartialObjectMetadataList, out *PartialObjectMetadataList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]v1.PartialObjectMetadata)(unsafe.Pointer(&in.Items))
+	return nil
+}
@@ -0,0 +1,17 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
@@ -0,0 +1,24 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package
+// +k8s:openapi-gen=true
+// +k8s:defaulter-gen=TypeMeta
+// +k8s:openapi-model-package=io.k8s.apimachinery.pkg.apis.meta.v1beta1
+
+// +groupName=meta.k8s.io
+
+package v1beta1
@@ -0,0 +1,341 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: k8s.io/apimachinery/pkg/apis/meta/v1beta1/generated.proto
+
+package v1beta1
+
+import (
+	fmt "fmt"
+
+	io "io"
+
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	math_bits "math/bits"
+	reflect "reflect"
+	strings "strings"
+)
+
+func (m *PartialObjectMetadataList) Reset() { *m = PartialObjectMetadataList{} }
+
+func (m *PartialObjectMetadataList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PartialObjectMetadataList) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *PartialObjectMetadataList) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	{
+		size, err := m.ListMeta.MarshalToSizedBuffer(dAtA[:i])
+		if err != nil {
+			return 0, err
+		}
+		i -= size
+		i = encodeVarintGenerated(dAtA, i, uint64(size))
+	}
+	i--
+	dAtA[i] = 0x12
+	if len(m.Items) > 0 {
+		for iNdEx := len(m.Items) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size, err := m.Items[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintGenerated(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0xa
+		}
+	}
+	return len(dAtA) - i, nil
+}
+
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	offset -= sovGenerated(v)
+	base := offset
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return base
+}
+func (m *PartialObjectMetadataList) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	return (math_bits.Len64(x|1) + 6) / 7
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *PartialObjectMetadataList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	repeatedStringForItems := "[]PartialObjectMetadata{"
+	for _, f := range this.Items {
+		repeatedStringForItems += fmt.Sprintf("%v", f) + ","
+	}
+	repeatedStringForItems += "}"
+	s := strings.Join([]string{`&PartialObjectMetadataList{`,
+		`Items:` + repeatedStringForItems + `,`,
+		`ListMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ListMeta), "ListMeta", "v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *PartialObjectMetadataList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PartialObjectMetadataList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PartialObjectMetadataList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, v1.PartialObjectMetadata{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	depth := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+		case 1:
+			iNdEx += 8
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			iNdEx += length
+		case 3:
+			depth++
+		case 4:
+			if depth == 0 {
+				return 0, ErrUnexpectedEndOfGroupGenerated
+			}
+			depth--
+		case 5:
+			iNdEx += 4
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+		if iNdEx < 0 {
+			return 0, ErrInvalidLengthGenerated
+		}
+		if depth == 0 {
+			return iNdEx, nil
+		}
+	}
+	return 0, io.ErrUnexpectedEOF
+}
+
+var (
+	ErrInvalidLengthGenerated        = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated          = fmt.Errorf("proto: integer overflow")
+	ErrUnexpectedEndOfGroupGenerated = fmt.Errorf("proto: unexpected end of group")
+)
@@ -0,0 +1,41 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = "proto2";
+
+package k8s.io.apimachinery.pkg.apis.meta.v1beta1;
+
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "k8s.io/apimachinery/pkg/apis/meta/v1beta1";
+
+// PartialObjectMetadataList contains a list of objects containing only their metadata.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+message PartialObjectMetadataList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+  // +optional
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 2;
+
+  // items contains each of the included items.
+  repeated .k8s.io.apimachinery.pkg.apis.meta.v1.PartialObjectMetadata items = 1;
+}
+
@@ -0,0 +1,24 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*PartialObjectMetadataList) ProtoMessage() {}
@@ -0,0 +1,62 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/conversion"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name for this API.
+const GroupName = "meta.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"}
+
+// Kind takes an unqualified kind and returns a Group qualified GroupKind
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// AddMetaToScheme registers base meta types into schemas.
+func AddMetaToScheme(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&Table{},
+		&TableOptions{},
+		&PartialObjectMetadata{},
+		&PartialObjectMetadataList{},
+	)
+
+	return nil
+}
+
+// RegisterConversions adds conversion functions to the given scheme.
+func RegisterConversions(s *runtime.Scheme) error {
+	if err := s.AddGeneratedConversionFunc((*PartialObjectMetadataList)(nil), (*v1.PartialObjectMetadataList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_PartialObjectMetadataList_To_v1_PartialObjectMetadataList(a.(*PartialObjectMetadataList), b.(*v1.PartialObjectMetadataList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*v1.PartialObjectMetadataList)(nil), (*PartialObjectMetadataList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1_PartialObjectMetadataList_To_v1beta1_PartialObjectMetadataList(a.(*v1.PartialObjectMetadataList), b.(*PartialObjectMetadataList), scope)
+	}); err != nil {
+		return err
+	}
+	return nil
+}
@@ -0,0 +1,85 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// package v1beta1 is alpha objects from meta that will be introduced.
+package v1beta1
+
+import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// Table is a tabular representation of a set of API resources. The server transforms the
+// object into a set of preferred columns for quickly reviewing the objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +protobuf=false
+type Table = v1.Table
+
+// TableColumnDefinition contains information about a column returned in the Table.
+// +protobuf=false
+type TableColumnDefinition = v1.TableColumnDefinition
+
+// TableRow is an individual row in a table.
+// +protobuf=false
+type TableRow = v1.TableRow
+
+// TableRowCondition allows a row to be marked with additional information.
+// +protobuf=false
+type TableRowCondition = v1.TableRowCondition
+
+type RowConditionType = v1.RowConditionType
+
+type ConditionStatus = v1.ConditionStatus
+
+type IncludeObjectPolicy = v1.IncludeObjectPolicy
+
+// TableOptions are used when a Table is requested by the caller.
+// +k8s:conversion-gen:explicit-from=net/url.Values
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type TableOptions = v1.TableOptions
+
+// PartialObjectMetadata is a generic representation of any object with ObjectMeta. It allows clients
+// to get access to a particular ObjectMeta schema without knowing the details of the version.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type PartialObjectMetadata = v1.PartialObjectMetadata
+
+// IMPORTANT: PartialObjectMetadataList has different protobuf field ids in v1beta1 than
+// v1 because ListMeta was accidentally omitted prior to 1.15. Therefore this type must
+// remain independent of v1.PartialObjectMetadataList to preserve mappings.
+
+// PartialObjectMetadataList contains a list of objects containing only their metadata.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type PartialObjectMetadataList struct {
+	v1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	// +optional
+	v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,2,opt,name=metadata"`
+
+	// items contains each of the included items.
+	Items []v1.PartialObjectMetadata `json:"items" protobuf:"bytes,1,rep,name=items"`
+}
+
+const (
+	RowCompleted = v1.RowCompleted
+
+	ConditionTrue    = v1.ConditionTrue
+	ConditionFalse   = v1.ConditionFalse
+	ConditionUnknown = v1.ConditionUnknown
+
+	IncludeNone     = v1.IncludeNone
+	IncludeMetadata = v1.IncludeMetadata
+	IncludeObject   = v1.IncludeObject
+)
@@ -0,0 +1,40 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-codegen.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE. DO NOT EDIT.
+var map_PartialObjectMetadataList = map[string]string{
+	"":         "PartialObjectMetadataList contains a list of objects containing only their metadata.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+	"items":    "items contains each of the included items.",
+}
+
+func (PartialObjectMetadataList) SwaggerDoc() map[string]string {
+	return map_PartialObjectMetadataList
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
@@ -0,0 +1,60 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PartialObjectMetadataList) DeepCopyInto(out *PartialObjectMetadataList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]v1.PartialObjectMetadata, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PartialObjectMetadataList.
+func (in *PartialObjectMetadataList) DeepCopy() *PartialObjectMetadataList {
+	if in == nil {
+		return nil
+	}
+	out := new(PartialObjectMetadataList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PartialObjectMetadataList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
@@ -0,0 +1,33 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by defaulter-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	return nil
+}
@@ -0,0 +1,27 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PartialObjectMetadataList) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1beta1.PartialObjectMetadataList"
+}
@@ -0,0 +1,202 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+import (
+	"container/heap"
+	"sync"
+	"time"
+
+	"k8s.io/utils/clock"
+)
+
+// NewExpiring returns an initialized expiring cache.
+func NewExpiring() *Expiring {
+	return NewExpiringWithClock(clock.RealClock{})
+}
+
+// NewExpiringWithClock is like NewExpiring but allows passing in a custom
+// clock for testing.
+func NewExpiringWithClock(clock clock.Clock) *Expiring {
+	return &Expiring{
+		clock: clock,
+		cache: make(map[interface{}]entry),
+	}
+}
+
+// Expiring is a map whose entries expire after a per-entry timeout.
+type Expiring struct {
+	// AllowExpiredGet causes the expiration check to be skipped on Get.
+	// It should only be used when a key always corresponds to the exact same value.
+	// Thus when this field is true, expired keys are considered valid
+	// until the next call to Set (which causes the GC to run).
+	// It may not be changed concurrently with calls to Get.
+	AllowExpiredGet bool
+
+	clock clock.Clock
+
+	// mu protects the below fields
+	mu sync.RWMutex
+	// cache is the internal map that backs the cache.
+	cache map[interface{}]entry
+	// generation is used as a cheap resource version for cache entries. Cleanups
+	// are scheduled with a key and generation. When the cleanup runs, it first
+	// compares its generation with the current generation of the entry. It
+	// deletes the entry iff the generation matches. This prevents cleanups
+	// scheduled for earlier versions of an entry from deleting later versions of
+	// an entry when Set() is called multiple times with the same key.
+	//
+	// The integer value of the generation of an entry is meaningless.
+	generation uint64
+
+	heap expiringHeap
+}
+
+type entry struct {
+	val        interface{}
+	expiry     time.Time
+	generation uint64
+}
+
+// Get looks up an entry in the cache.
+func (c *Expiring) Get(key interface{}) (val interface{}, ok bool) {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	e, ok := c.cache[key]
+	if !ok {
+		return nil, false
+	}
+	if !c.AllowExpiredGet && !c.clock.Now().Before(e.expiry) {
+		return nil, false
+	}
+	return e.val, true
+}
+
+// Set sets a key/value/expiry entry in the map, overwriting any previous entry
+// with the same key. The entry expires at the given expiry time, but its TTL
+// may be lengthened or shortened by additional calls to Set(). Garbage
+// collection of expired entries occurs during calls to Set(), however calls to
+// Get() will not return expired entries that have not yet been garbage
+// collected.
+func (c *Expiring) Set(key interface{}, val interface{}, ttl time.Duration) {
+	now := c.clock.Now()
+	expiry := now.Add(ttl)
+
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	c.generation++
+
+	c.cache[key] = entry{
+		val:        val,
+		expiry:     expiry,
+		generation: c.generation,
+	}
+
+	// Run GC inline before pushing the new entry.
+	c.gc(now)
+
+	heap.Push(&c.heap, &expiringHeapEntry{
+		key:        key,
+		expiry:     expiry,
+		generation: c.generation,
+	})
+}
+
+// Delete deletes an entry in the map.
+func (c *Expiring) Delete(key interface{}) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.del(key, 0)
+}
+
+// del deletes the entry for the given key. The generation argument is the
+// generation of the entry that should be deleted. If the generation has been
+// changed (e.g. if a set has occurred on an existing element but the old
+// cleanup still runs), this is a noop. If the generation argument is 0, the
+// entry's generation is ignored and the entry is deleted.
+//
+// del must be called under the write lock.
+func (c *Expiring) del(key interface{}, generation uint64) {
+	e, ok := c.cache[key]
+	if !ok {
+		return
+	}
+	if generation != 0 && generation != e.generation {
+		return
+	}
+	delete(c.cache, key)
+}
+
+// Len returns the number of items in the cache.
+func (c *Expiring) Len() int {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	return len(c.cache)
+}
+
+func (c *Expiring) gc(now time.Time) {
+	for {
+		// Return from gc if the heap is empty or the next element is not yet
+		// expired.
+		//
+		// heap[0] is a peek at the next element in the heap, which is not obvious
+		// from looking at the (*expiringHeap).Pop() implementation below.
+		// heap.Pop() swaps the first entry with the last entry of the heap, then
+		// calls (*expiringHeap).Pop() which returns the last element.
+		if len(c.heap) == 0 || now.Before(c.heap[0].expiry) {
+			return
+		}
+		cleanup := heap.Pop(&c.heap).(*expiringHeapEntry)
+		c.del(cleanup.key, cleanup.generation)
+	}
+}
+
+type expiringHeapEntry struct {
+	key        interface{}
+	expiry     time.Time
+	generation uint64
+}
+
+// expiringHeap is a min-heap ordered by expiration time of its entries. The
+// expiring cache uses this as a priority queue to efficiently organize entries
+// which will be garbage collected once they expire.
+type expiringHeap []*expiringHeapEntry
+
+var _ heap.Interface = &expiringHeap{}
+
+func (cq expiringHeap) Len() int {
+	return len(cq)
+}
+
+func (cq expiringHeap) Less(i, j int) bool {
+	return cq[i].expiry.Before(cq[j].expiry)
+}
+
+func (cq expiringHeap) Swap(i, j int) {
+	cq[i], cq[j] = cq[j], cq[i]
+}
+
+func (cq *expiringHeap) Push(c interface{}) {
+	*cq = append(*cq, c.(*expiringHeapEntry))
+}
+
+func (cq *expiringHeap) Pop() interface{} {
+	c := (*cq)[cq.Len()-1]
+	*cq = (*cq)[:cq.Len()-1]
+	return c
+}
@@ -0,0 +1,173 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+import (
+	"container/list"
+	"sync"
+	"time"
+)
+
+// Clock defines an interface for obtaining the current time
+type Clock interface {
+	Now() time.Time
+}
+
+// realClock implements the Clock interface by calling time.Now()
+type realClock struct{}
+
+func (realClock) Now() time.Time { return time.Now() }
+
+// LRUExpireCache is a cache that ensures the mostly recently accessed keys are returned with
+// a ttl beyond which keys are forcibly expired.
+type LRUExpireCache struct {
+	// clock is used to obtain the current time
+	clock Clock
+
+	lock sync.Mutex
+
+	maxSize      int
+	evictionList list.List
+	entries      map[interface{}]*list.Element
+}
+
+// NewLRUExpireCache creates an expiring cache with the given size
+func NewLRUExpireCache(maxSize int) *LRUExpireCache {
+	return NewLRUExpireCacheWithClock(maxSize, realClock{})
+}
+
+// NewLRUExpireCacheWithClock creates an expiring cache with the given size, using the specified clock to obtain the current time.
+func NewLRUExpireCacheWithClock(maxSize int, clock Clock) *LRUExpireCache {
+	if maxSize <= 0 {
+		panic("maxSize must be > 0")
+	}
+
+	return &LRUExpireCache{
+		clock:   clock,
+		maxSize: maxSize,
+		entries: map[interface{}]*list.Element{},
+	}
+}
+
+type cacheEntry struct {
+	key        interface{}
+	value      interface{}
+	expireTime time.Time
+}
+
+// Add adds the value to the cache at key with the specified maximum duration.
+func (c *LRUExpireCache) Add(key interface{}, value interface{}, ttl time.Duration) {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+
+	// Key already exists
+	oldElement, ok := c.entries[key]
+	if ok {
+		c.evictionList.MoveToFront(oldElement)
+		oldElement.Value.(*cacheEntry).value = value
+		oldElement.Value.(*cacheEntry).expireTime = c.clock.Now().Add(ttl)
+		return
+	}
+
+	// Make space if necessary
+	if c.evictionList.Len() >= c.maxSize {
+		toEvict := c.evictionList.Back()
+		c.evictionList.Remove(toEvict)
+		delete(c.entries, toEvict.Value.(*cacheEntry).key)
+	}
+
+	// Add new entry
+	entry := &cacheEntry{
+		key:        key,
+		value:      value,
+		expireTime: c.clock.Now().Add(ttl),
+	}
+	element := c.evictionList.PushFront(entry)
+	c.entries[key] = element
+}
+
+// Get returns the value at the specified key from the cache if it exists and is not
+// expired, or returns false.
+func (c *LRUExpireCache) Get(key interface{}) (interface{}, bool) {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+
+	element, ok := c.entries[key]
+	if !ok {
+		return nil, false
+	}
+
+	if c.clock.Now().After(element.Value.(*cacheEntry).expireTime) {
+		c.evictionList.Remove(element)
+		delete(c.entries, key)
+		return nil, false
+	}
+
+	c.evictionList.MoveToFront(element)
+
+	return element.Value.(*cacheEntry).value, true
+}
+
+// Remove removes the specified key from the cache if it exists
+func (c *LRUExpireCache) Remove(key interface{}) {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+
+	element, ok := c.entries[key]
+	if !ok {
+		return
+	}
+
+	c.evictionList.Remove(element)
+	delete(c.entries, key)
+}
+
+// RemoveAll removes all keys that match predicate.
+func (c *LRUExpireCache) RemoveAll(predicate func(key any) bool) {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+
+	for key, element := range c.entries {
+		if predicate(key) {
+			c.evictionList.Remove(element)
+			delete(c.entries, key)
+		}
+	}
+}
+
+// Keys returns all unexpired keys in the cache.
+//
+// Keep in mind that subsequent calls to Get() for any of the returned keys
+// might return "not found".
+//
+// Keys are returned ordered from least recently used to most recently used.
+func (c *LRUExpireCache) Keys() []interface{} {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+
+	now := c.clock.Now()
+
+	val := make([]interface{}, 0, c.evictionList.Len())
+	for element := c.evictionList.Back(); element != nil; element = element.Prev() {
+		// Only return unexpired keys
+		if !now.After(element.Value.(*cacheEntry).expireTime) {
+			val = append(val, element.Value.(*cacheEntry).key)
+		}
+	}
+
+	return val
+}
@@ -0,0 +1,31 @@
+//go:build usegocmp
+// +build usegocmp
+
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package diff
+
+import (
+	"github.com/google/go-cmp/cmp" //nolint:depguard
+)
+
+// Diff returns a string representation of the difference between two objects.
+// When built with the usegocmp tag, it uses go-cmp/cmp to generate a diff
+// between the objects.
+func Diff(a, b any) string {
+	return cmp.Diff(a, b)
+}
@@ -0,0 +1,62 @@
+//go:build !usegocmp
+// +build !usegocmp
+
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package diff
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/pmezard/go-difflib/difflib"
+
+	"k8s.io/apimachinery/pkg/util/dump"
+)
+
+// Diff returns a string representation of the difference between two objects.
+// When built without the usegocmp tag, it uses go-difflib/difflib to generate a
+// unified diff of the objects. It attempts to use JSON serialization first,
+// falling back to an object dump via the dump package if JSON marshaling fails.
+func Diff(a, b any) string {
+
+	aStr, aErr := toPrettyJSON(a)
+	bStr, bErr := toPrettyJSON(b)
+	if aErr != nil || bErr != nil {
+		aStr = dump.Pretty(a)
+		bStr = dump.Pretty(b)
+	}
+
+	diff := difflib.UnifiedDiff{
+		A:       difflib.SplitLines(aStr),
+		B:       difflib.SplitLines(bStr),
+		Context: 3,
+	}
+
+	diffstr, err := difflib.GetUnifiedDiffString(diff)
+	if err != nil {
+		return fmt.Sprintf("error generating diff: %v", err)
+	}
+
+	return diffstr
+}
+
+// toPrettyJSON converts an object to a pretty-printed JSON string.
+func toPrettyJSON(data any) (string, error) {
+	jsonData, err := json.MarshalIndent(data, "", " ")
+	return string(jsonData), err
+}
@@ -0,0 +1,67 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package diff
+
+import (
+	"bytes"
+	"fmt"
+	"strings"
+	"text/tabwriter"
+
+	"k8s.io/apimachinery/pkg/util/dump"
+)
+
+// ObjectGoPrintSideBySide prints a and b as textual dumps side by side,
+// enabling easy visual scanning for mismatches.
+func ObjectGoPrintSideBySide(a, b interface{}) string {
+	sA := dump.Pretty(a)
+	sB := dump.Pretty(b)
+
+	linesA := strings.Split(sA, "\n")
+	linesB := strings.Split(sB, "\n")
+	width := 0
+	for _, s := range linesA {
+		l := len(s)
+		if l > width {
+			width = l
+		}
+	}
+	for _, s := range linesB {
+		l := len(s)
+		if l > width {
+			width = l
+		}
+	}
+	buf := &bytes.Buffer{}
+	w := tabwriter.NewWriter(buf, width, 0, 1, ' ', 0)
+	max := len(linesA)
+	if len(linesB) > max {
+		max = len(linesB)
+	}
+	for i := 0; i < max; i++ {
+		var a, b string
+		if i < len(linesA) {
+			a = linesA[i]
+		}
+		if i < len(linesB) {
+			b = linesB[i]
+		}
+		_, _ = fmt.Fprintf(w, "%s\t%s\n", a, b)
+	}
+	_ = w.Flush()
+	return buf.String()
+}
@@ -0,0 +1,93 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package duration
+
+import (
+	"fmt"
+	"time"
+)
+
+// ShortHumanDuration returns a succinct representation of the provided duration
+// with limited precision for consumption by humans.
+func ShortHumanDuration(d time.Duration) string {
+	// Allow deviation no more than 2 seconds(excluded) to tolerate machine time
+	// inconsistence, it can be considered as almost now.
+	if seconds := int(d.Seconds()); seconds < -1 {
+		return "<invalid>"
+	} else if seconds < 0 {
+		return "0s"
+	} else if seconds < 60 {
+		return fmt.Sprintf("%ds", seconds)
+	} else if minutes := int(d.Minutes()); minutes < 60 {
+		return fmt.Sprintf("%dm", minutes)
+	} else if hours := int(d.Hours()); hours < 24 {
+		return fmt.Sprintf("%dh", hours)
+	} else if hours < 24*365 {
+		return fmt.Sprintf("%dd", hours/24)
+	}
+	return fmt.Sprintf("%dy", int(d.Hours()/24/365))
+}
+
+// HumanDuration returns a succinct representation of the provided duration
+// with limited precision for consumption by humans. It provides ~2-3 significant
+// figures of duration.
+func HumanDuration(d time.Duration) string {
+	// Allow deviation no more than 2 seconds(excluded) to tolerate machine time
+	// inconsistence, it can be considered as almost now.
+	if seconds := int(d.Seconds()); seconds < -1 {
+		return "<invalid>"
+	} else if seconds < 0 {
+		return "0s"
+	} else if seconds < 60*2 {
+		return fmt.Sprintf("%ds", seconds)
+	}
+	minutes := int(d / time.Minute)
+	if minutes < 10 {
+		s := int(d/time.Second) % 60
+		if s == 0 {
+			return fmt.Sprintf("%dm", minutes)
+		}
+		return fmt.Sprintf("%dm%ds", minutes, s)
+	} else if minutes < 60*3 {
+		return fmt.Sprintf("%dm", minutes)
+	}
+	hours := int(d / time.Hour)
+	if hours < 8 {
+		m := int(d/time.Minute) % 60
+		if m == 0 {
+			return fmt.Sprintf("%dh", hours)
+		}
+		return fmt.Sprintf("%dh%dm", hours, m)
+	} else if hours < 48 {
+		return fmt.Sprintf("%dh", hours)
+	} else if hours < 24*8 {
+		h := hours % 24
+		if h == 0 {
+			return fmt.Sprintf("%dd", hours/24)
+		}
+		return fmt.Sprintf("%dd%dh", hours/24, h)
+	} else if hours < 24*365*2 {
+		return fmt.Sprintf("%dd", hours/24)
+	} else if hours < 24*365*8 {
+		dy := int(hours/24) % 365
+		if dy == 0 {
+			return fmt.Sprintf("%dy", hours/24/365)
+		}
+		return fmt.Sprintf("%dy%dd", hours/24/365, dy)
+	}
+	return fmt.Sprintf("%dy", int(hours/24/365))
+}
@@ -0,0 +1,160 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package jsonmergepatch
+
+import (
+	"fmt"
+	"reflect"
+
+	"gopkg.in/evanphx/json-patch.v4"
+	"k8s.io/apimachinery/pkg/util/json"
+	"k8s.io/apimachinery/pkg/util/mergepatch"
+)
+
+// Create a 3-way merge patch based-on JSON merge patch.
+// Calculate addition-and-change patch between current and modified.
+// Calculate deletion patch between original and modified.
+func CreateThreeWayJSONMergePatch(original, modified, current []byte, fns ...mergepatch.PreconditionFunc) ([]byte, error) {
+	if len(original) == 0 {
+		original = []byte(`{}`)
+	}
+	if len(modified) == 0 {
+		modified = []byte(`{}`)
+	}
+	if len(current) == 0 {
+		current = []byte(`{}`)
+	}
+
+	addAndChangePatch, err := jsonpatch.CreateMergePatch(current, modified)
+	if err != nil {
+		return nil, err
+	}
+	// Only keep addition and changes
+	addAndChangePatch, addAndChangePatchObj, err := keepOrDeleteNullInJsonPatch(addAndChangePatch, false)
+	if err != nil {
+		return nil, err
+	}
+
+	deletePatch, err := jsonpatch.CreateMergePatch(original, modified)
+	if err != nil {
+		return nil, err
+	}
+	// Only keep deletion
+	deletePatch, deletePatchObj, err := keepOrDeleteNullInJsonPatch(deletePatch, true)
+	if err != nil {
+		return nil, err
+	}
+
+	hasConflicts, err := mergepatch.HasConflicts(addAndChangePatchObj, deletePatchObj)
+	if err != nil {
+		return nil, err
+	}
+	if hasConflicts {
+		return nil, mergepatch.NewErrConflict(mergepatch.ToYAMLOrError(addAndChangePatchObj), mergepatch.ToYAMLOrError(deletePatchObj))
+	}
+	patch, err := jsonpatch.MergePatch(deletePatch, addAndChangePatch)
+	if err != nil {
+		return nil, err
+	}
+
+	var patchMap map[string]interface{}
+	err = json.Unmarshal(patch, &patchMap)
+	if err != nil {
+		return nil, fmt.Errorf("failed to unmarshal patch for precondition check: %s", patch)
+	}
+	meetPreconditions, err := meetPreconditions(patchMap, fns...)
+	if err != nil {
+		return nil, err
+	}
+	if !meetPreconditions {
+		return nil, mergepatch.NewErrPreconditionFailed(patchMap)
+	}
+
+	return patch, nil
+}
+
+// keepOrDeleteNullInJsonPatch takes a json-encoded byte array and a boolean.
+// It returns a filtered object and its corresponding json-encoded byte array.
+// It is a wrapper of func keepOrDeleteNullInObj
+func keepOrDeleteNullInJsonPatch(patch []byte, keepNull bool) ([]byte, map[string]interface{}, error) {
+	var patchMap map[string]interface{}
+	err := json.Unmarshal(patch, &patchMap)
+	if err != nil {
+		return nil, nil, err
+	}
+	filteredMap, err := keepOrDeleteNullInObj(patchMap, keepNull)
+	if err != nil {
+		return nil, nil, err
+	}
+	o, err := json.Marshal(filteredMap)
+	return o, filteredMap, err
+}
+
+// keepOrDeleteNullInObj will keep only the null value and delete all the others,
+// if keepNull is true. Otherwise, it will delete all the null value and keep the others.
+func keepOrDeleteNullInObj(m map[string]interface{}, keepNull bool) (map[string]interface{}, error) {
+	filteredMap := make(map[string]interface{})
+	var err error
+	for key, val := range m {
+		switch {
+		case keepNull && val == nil:
+			filteredMap[key] = nil
+		case val != nil:
+			switch typedVal := val.(type) {
+			case map[string]interface{}:
+				// Explicitly-set empty maps are treated as values instead of empty patches
+				if len(typedVal) == 0 {
+					if !keepNull {
+						filteredMap[key] = typedVal
+					}
+					continue
+				}
+
+				var filteredSubMap map[string]interface{}
+				filteredSubMap, err = keepOrDeleteNullInObj(typedVal, keepNull)
+				if err != nil {
+					return nil, err
+				}
+
+				// If the returned filtered submap was empty, this is an empty patch for the entire subdict, so the key
+				// should not be set
+				if len(filteredSubMap) != 0 {
+					filteredMap[key] = filteredSubMap
+				}
+
+			case []interface{}, string, float64, bool, int64, nil:
+				// Lists are always replaced in Json, no need to check each entry in the list.
+				if !keepNull {
+					filteredMap[key] = val
+				}
+			default:
+				return nil, fmt.Errorf("unknown type: %v", reflect.TypeOf(typedVal))
+			}
+		}
+	}
+	return filteredMap, nil
+}
+
+func meetPreconditions(patchObj map[string]interface{}, fns ...mergepatch.PreconditionFunc) (bool, error) {
+	// Apply the preconditions to the patch, and return an error if any of them fail.
+	for _, fn := range fns {
+		if !fn(patchObj) {
+			return false, fmt.Errorf("precondition failed for: %v", patchObj)
+		}
+	}
+	return true, nil
+}
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
@@ -0,0 +1,228 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"github.com/spf13/pflag"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/cli-runtime/pkg/resource"
+	"k8s.io/utils/ptr"
+)
+
+// ResourceBuilderFlags are flags for finding resources
+// TODO(juanvallejo): wire --local flag from commands through
+type ResourceBuilderFlags struct {
+	FileNameFlags *FileNameFlags
+
+	LabelSelector *string
+	FieldSelector *string
+	AllNamespaces *bool
+	All           *bool
+	Local         *bool
+
+	Scheme           *runtime.Scheme
+	Latest           bool
+	StopOnFirstError bool
+}
+
+// NewResourceBuilderFlags returns a default ResourceBuilderFlags
+func NewResourceBuilderFlags() *ResourceBuilderFlags {
+	filenames := []string{}
+
+	return &ResourceBuilderFlags{
+		FileNameFlags: &FileNameFlags{
+			Usage:     "identifying the resource.",
+			Filenames: &filenames,
+			Recursive: ptr.To(true),
+		},
+	}
+}
+
+// WithFile sets the FileNameFlags.
+// If recurse is set, it will process directory recursively. Useful when you want to manage related manifests
+// organized within the same directory.
+func (o *ResourceBuilderFlags) WithFile(recurse bool, files ...string) *ResourceBuilderFlags {
+	o.FileNameFlags = &FileNameFlags{
+		Usage:     "identifying the resource.",
+		Filenames: &files,
+		Recursive: ptr.To(recurse),
+	}
+
+	return o
+}
+
+// WithLabelSelector sets the LabelSelector flag
+func (o *ResourceBuilderFlags) WithLabelSelector(selector string) *ResourceBuilderFlags {
+	o.LabelSelector = &selector
+	return o
+}
+
+// WithFieldSelector sets the FieldSelector flag
+func (o *ResourceBuilderFlags) WithFieldSelector(selector string) *ResourceBuilderFlags {
+	o.FieldSelector = &selector
+	return o
+}
+
+// WithAllNamespaces sets the AllNamespaces flag
+func (o *ResourceBuilderFlags) WithAllNamespaces(defaultVal bool) *ResourceBuilderFlags {
+	o.AllNamespaces = &defaultVal
+	return o
+}
+
+// WithAll sets the All flag
+func (o *ResourceBuilderFlags) WithAll(defaultVal bool) *ResourceBuilderFlags {
+	o.All = &defaultVal
+	return o
+}
+
+// WithLocal sets the Local flag
+func (o *ResourceBuilderFlags) WithLocal(defaultVal bool) *ResourceBuilderFlags {
+	o.Local = &defaultVal
+	return o
+}
+
+// WithScheme sets the Scheme flag
+func (o *ResourceBuilderFlags) WithScheme(scheme *runtime.Scheme) *ResourceBuilderFlags {
+	o.Scheme = scheme
+	return o
+}
+
+// WithLatest sets the Latest flag
+func (o *ResourceBuilderFlags) WithLatest() *ResourceBuilderFlags {
+	o.Latest = true
+	return o
+}
+
+// StopOnError sets the StopOnFirstError flag
+func (o *ResourceBuilderFlags) StopOnError() *ResourceBuilderFlags {
+	o.StopOnFirstError = true
+	return o
+}
+
+// AddFlags registers flags for finding resources
+func (o *ResourceBuilderFlags) AddFlags(flagset *pflag.FlagSet) {
+	o.FileNameFlags.AddFlags(flagset)
+
+	if o.LabelSelector != nil {
+		flagset.StringVarP(o.LabelSelector, "selector", "l", *o.LabelSelector, "Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2)")
+	}
+	if o.FieldSelector != nil {
+		flagset.StringVar(o.FieldSelector, "field-selector", *o.FieldSelector, "Selector (field query) to filter on, supports '=', '==', and '!='.(e.g. --field-selector key1=value1,key2=value2). The server only supports a limited number of field queries per type.")
+	}
+	if o.AllNamespaces != nil {
+		flagset.BoolVarP(o.AllNamespaces, "all-namespaces", "A", *o.AllNamespaces, "If present, list the requested object(s) across all namespaces. Namespace in current context is ignored even if specified with --namespace.")
+	}
+	if o.All != nil {
+		flagset.BoolVar(o.All, "all", *o.All, "Select all resources in the namespace of the specified resource types")
+	}
+	if o.Local != nil {
+		flagset.BoolVar(o.Local, "local", *o.Local, "If true, annotation will NOT contact api-server but run locally.")
+	}
+}
+
+// ToBuilder gives you back a resource finder to visit resources that are located
+func (o *ResourceBuilderFlags) ToBuilder(restClientGetter RESTClientGetter, resources []string) ResourceFinder {
+	namespace, enforceNamespace, namespaceErr := restClientGetter.ToRawKubeConfigLoader().Namespace()
+
+	builder := resource.NewBuilder(restClientGetter).
+		NamespaceParam(namespace).DefaultNamespace()
+
+	if o.AllNamespaces != nil {
+		builder.AllNamespaces(*o.AllNamespaces)
+	}
+
+	if o.Scheme != nil {
+		builder.WithScheme(o.Scheme, o.Scheme.PrioritizedVersionsAllGroups()...)
+	} else {
+		builder.Unstructured()
+	}
+
+	if o.FileNameFlags != nil {
+		opts := o.FileNameFlags.ToOptions()
+		builder.FilenameParam(enforceNamespace, &opts)
+	}
+
+	if o.Local == nil || !*o.Local {
+		// resource type/name tuples only work non-local
+		if o.All != nil {
+			builder.ResourceTypeOrNameArgs(*o.All, resources...)
+		} else {
+			builder.ResourceTypeOrNameArgs(false, resources...)
+		}
+		// label selectors only work non-local (for now)
+		if o.LabelSelector != nil {
+			builder.LabelSelectorParam(*o.LabelSelector)
+		}
+		// field selectors only work non-local (forever)
+		if o.FieldSelector != nil {
+			builder.FieldSelectorParam(*o.FieldSelector)
+		}
+		// latest only works non-local (forever)
+		if o.Latest {
+			builder.Latest()
+		}
+
+	} else {
+		builder.Local()
+
+		if len(resources) > 0 {
+			builder.AddError(resource.LocalResourceError)
+		}
+	}
+
+	if !o.StopOnFirstError {
+		builder.ContinueOnError()
+	}
+
+	return &ResourceFindBuilderWrapper{
+		builder: builder.
+			Flatten(). // I think we're going to recommend this everywhere
+			AddError(namespaceErr),
+	}
+}
+
+// ResourceFindBuilderWrapper wraps a builder in an interface
+type ResourceFindBuilderWrapper struct {
+	builder *resource.Builder
+}
+
+// Do finds you resources to check
+func (b *ResourceFindBuilderWrapper) Do() resource.Visitor {
+	return b.builder.Do()
+}
+
+// ResourceFinder allows mocking the resource builder
+// TODO resource builders needs to become more interfacey
+type ResourceFinder interface {
+	Do() resource.Visitor
+}
+
+// ResourceFinderFunc is a handy way to make a  ResourceFinder
+type ResourceFinderFunc func() resource.Visitor
+
+// Do implements ResourceFinder
+func (fn ResourceFinderFunc) Do() resource.Visitor {
+	return fn()
+}
+
+// ResourceFinderForResult skins a visitor for re-use as a ResourceFinder
+func ResourceFinderForResult(result resource.Visitor) ResourceFinder {
+	return ResourceFinderFunc(func() resource.Visitor {
+		return result
+	})
+}
@@ -0,0 +1,65 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"k8s.io/cli-runtime/pkg/resource"
+)
+
+// NewSimpleFakeResourceFinder builds a super simple ResourceFinder that just iterates over the objects you provided
+func NewSimpleFakeResourceFinder(infos ...*resource.Info) *FakeResourceFinder {
+	return &FakeResourceFinder{
+		Infos: infos,
+	}
+}
+
+func (f *FakeResourceFinder) WithError(err error) *FakeResourceFinder {
+	f.err = err
+	return f
+}
+
+type FakeResourceFinder struct {
+	Infos []*resource.Info
+	err   error
+}
+
+// Do implements the interface
+func (f *FakeResourceFinder) Do() resource.Visitor {
+	return &fakeResourceResult{
+		Infos: f.Infos,
+		err:   f.err,
+	}
+}
+
+type fakeResourceResult struct {
+	Infos []*resource.Info
+	err   error
+}
+
+// Visit just iterates over info
+func (r *fakeResourceResult) Visit(fn resource.VisitorFunc) error {
+	if r.err != nil {
+		return r.err
+	}
+	for _, info := range r.Infos {
+		err := fn(info, nil)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
@@ -0,0 +1,72 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	restclient "k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
+)
+
+var (
+	// ErrEmptyConfig is the error message to be displayed if the configuration info is missing or incomplete
+	ErrEmptyConfig = clientcmd.NewEmptyConfigError(`Missing or incomplete configuration info.  Please point to an existing, complete config file:
+
+
+  1. Via the command-line flag --kubeconfig
+  2. Via the KUBECONFIG environment variable
+  3. In your home directory as ~/.kube/config
+
+To view or setup config directly use the 'config' command.`)
+)
+
+var _ = clientcmd.ClientConfig(&clientConfig{})
+
+type clientConfig struct {
+	defaultClientConfig clientcmd.ClientConfig
+}
+
+func (c *clientConfig) RawConfig() (clientcmdapi.Config, error) {
+	config, err := c.defaultClientConfig.RawConfig()
+	// replace client-go's ErrEmptyConfig error with our custom, more verbose version
+	if clientcmd.IsEmptyConfig(err) {
+		return config, ErrEmptyConfig
+	}
+	return config, err
+}
+
+func (c *clientConfig) ClientConfig() (*restclient.Config, error) {
+	config, err := c.defaultClientConfig.ClientConfig()
+	// replace client-go's ErrEmptyConfig error with our custom, more verbose version
+	if clientcmd.IsEmptyConfig(err) {
+		return config, ErrEmptyConfig
+	}
+	return config, err
+}
+
+func (c *clientConfig) Namespace() (string, bool, error) {
+	namespace, ok, err := c.defaultClientConfig.Namespace()
+	// replace client-go's ErrEmptyConfig error with our custom, more verbose version
+	if clientcmd.IsEmptyConfig(err) {
+		return namespace, ok, ErrEmptyConfig
+	}
+	return namespace, ok, err
+}
+
+func (c *clientConfig) ConfigAccess() clientcmd.ConfigAccess {
+	return c.defaultClientConfig.ConfigAccess()
+}
@@ -0,0 +1,109 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"net/http"
+	"strings"
+	"sync/atomic"
+
+	"github.com/google/uuid"
+	"github.com/spf13/cobra"
+)
+
+const (
+	kubectlCommandHeader = "Kubectl-Command"
+	kubectlSessionHeader = "Kubectl-Session"
+)
+
+// CommandHeaderRoundTripper adds a layer around the standard
+// round tripper to add Request headers before delegation. Implements
+// the go standard library "http.RoundTripper" interface.
+type CommandHeaderRoundTripper struct {
+	Delegate    http.RoundTripper
+	Headers     map[string]string
+	SkipHeaders *atomic.Bool
+}
+
+// CommandHeaderRoundTripper adds Request headers before delegating to standard
+// round tripper. These headers are kubectl command headers which
+// detail the kubectl command. See SIG CLI KEP 859:
+//
+//	https://github.com/kubernetes/enhancements/tree/master/keps/sig-cli/859-kubectl-headers
+func (c *CommandHeaderRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	if c.shouldSkipHeaders() {
+		return c.Delegate.RoundTrip(req)
+	}
+
+	for header, value := range c.Headers {
+		req.Header.Set(header, value)
+	}
+
+	return c.Delegate.RoundTrip(req)
+}
+
+// ParseCommandHeaders fills in a map of custom headers into the CommandHeaderRoundTripper. These
+// headers are then filled into each request. For details on the custom headers see:
+//
+//	https://github.com/kubernetes/enhancements/tree/master/keps/sig-cli/859-kubectl-headers
+//
+// Each call overwrites the previously parsed command headers (not additive).
+// TODO(seans3): Parse/add flags removing PII from flag values.
+func (c *CommandHeaderRoundTripper) ParseCommandHeaders(cmd *cobra.Command, args []string) {
+	if cmd == nil {
+		return
+	}
+	// Overwrites previously parsed command headers (headers not additive).
+	c.Headers = map[string]string{}
+	// Session identifier to aggregate multiple Requests from single kubectl command.
+	uid := uuid.New().String()
+	c.Headers[kubectlSessionHeader] = uid
+	// Iterate up the hierarchy of commands from the leaf command to create
+	// the full command string. Example: kubectl create secret generic
+	cmdStrs := []string{}
+	for cmd.HasParent() {
+		parent := cmd.Parent()
+		currName := strings.TrimSpace(cmd.Name())
+		cmdStrs = append([]string{currName}, cmdStrs...)
+		cmd = parent
+	}
+	currName := strings.TrimSpace(cmd.Name())
+	cmdStrs = append([]string{currName}, cmdStrs...)
+	if len(cmdStrs) > 0 {
+		c.Headers[kubectlCommandHeader] = strings.Join(cmdStrs, " ")
+	}
+}
+
+// CancelRequest is propagated to the Delegate RoundTripper within
+// if the wrapped RoundTripper implements this function.
+func (c *CommandHeaderRoundTripper) CancelRequest(req *http.Request) {
+	type canceler interface {
+		CancelRequest(*http.Request)
+	}
+	// If possible, call "CancelRequest" on the wrapped Delegate RoundTripper.
+	if cr, ok := c.Delegate.(canceler); ok {
+		cr.CancelRequest(req)
+	}
+}
+
+func (c *CommandHeaderRoundTripper) shouldSkipHeaders() bool {
+	if c.SkipHeaders == nil {
+		return false
+	}
+
+	return c.SkipHeaders.Load()
+}
@@ -0,0 +1,514 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/spf13/pflag"
+
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/cli-runtime/pkg/genericiooptions"
+	"k8s.io/cli-runtime/pkg/printers"
+	"k8s.io/client-go/discovery"
+	diskcached "k8s.io/client-go/discovery/cached/disk"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/restmapper"
+	"k8s.io/client-go/tools/clientcmd"
+	"k8s.io/client-go/util/homedir"
+	"k8s.io/utils/ptr"
+)
+
+const (
+	flagClusterName          = "cluster"
+	flagAuthInfoName         = "user"
+	flagContext              = "context"
+	flagNamespace            = "namespace"
+	flagAPIServer            = "server"
+	flagTLSServerName        = "tls-server-name"
+	flagInsecure             = "insecure-skip-tls-verify"
+	flagCertFile             = "client-certificate"
+	flagKeyFile              = "client-key"
+	flagCAFile               = "certificate-authority"
+	flagBearerToken          = "token"
+	flagImpersonate          = "as"
+	flagImpersonateUID       = "as-uid"
+	flagImpersonateGroup     = "as-group"
+	flagImpersonateUserExtra = "as-user-extra"
+	flagUsername             = "username"
+	flagPassword             = "password"
+	flagTimeout              = "request-timeout"
+	flagCacheDir             = "cache-dir"
+	flagDisableCompression   = "disable-compression"
+)
+
+// RESTClientGetter is an interface that the ConfigFlags describe to provide an easier way to mock for commands
+// and eliminate the direct coupling to a struct type.  Users may wish to duplicate this type in their own packages
+// as per the golang type overlapping.
+type RESTClientGetter interface {
+	// ToRESTConfig returns restconfig
+	ToRESTConfig() (*rest.Config, error)
+	// ToDiscoveryClient returns discovery client
+	ToDiscoveryClient() (discovery.CachedDiscoveryInterface, error)
+	// ToRESTMapper returns a restmapper
+	ToRESTMapper() (meta.RESTMapper, error)
+	// ToRawKubeConfigLoader return kubeconfig loader as-is
+	ToRawKubeConfigLoader() clientcmd.ClientConfig
+}
+
+var _ RESTClientGetter = &ConfigFlags{}
+
+// ConfigFlags composes the set of values necessary
+// for obtaining a REST client config
+type ConfigFlags struct {
+	CacheDir   *string
+	KubeConfig *string
+
+	// config flags
+	ClusterName          *string
+	AuthInfoName         *string
+	Context              *string
+	Namespace            *string
+	APIServer            *string
+	TLSServerName        *string
+	Insecure             *bool
+	CertFile             *string
+	KeyFile              *string
+	CAFile               *string
+	BearerToken          *string
+	Impersonate          *string
+	ImpersonateUID       *string
+	ImpersonateGroup     *[]string
+	ImpersonateUserExtra *[]string
+	Username             *string
+	Password             *string
+	Timeout              *string
+	DisableCompression   *bool
+	// If non-nil, wrap config function can transform the Config
+	// before it is returned in ToRESTConfig function.
+	WrapConfigFn func(*rest.Config) *rest.Config
+
+	clientConfig     clientcmd.ClientConfig
+	clientConfigLock sync.Mutex
+
+	restMapper     meta.RESTMapper
+	restMapperLock sync.Mutex
+
+	discoveryClient     discovery.CachedDiscoveryInterface
+	discoveryClientLock sync.Mutex
+
+	// If set to true, will use persistent client config, rest mapper, discovery client, and
+	// propagate them to the places that need them, rather than
+	// instantiating them multiple times.
+	usePersistentConfig bool
+	// Allows increasing burst used for discovery, this is useful
+	// in clusters with many registered resources
+	discoveryBurst int
+	// Allows increasing qps used for discovery, this is useful
+	// in clusters with many registered resources
+	discoveryQPS float32
+	// Allows all possible warnings are printed in a standardized
+	// format.
+	warningPrinter *printers.WarningPrinter
+}
+
+// ToRESTConfig implements RESTClientGetter.
+// Returns a REST client configuration based on a provided path
+// to a .kubeconfig file, loading rules, and config flag overrides.
+// Expects the AddFlags method to have been called. If WrapConfigFn
+// is non-nil this function can transform config before return.
+func (f *ConfigFlags) ToRESTConfig() (*rest.Config, error) {
+	c, err := f.ToRawKubeConfigLoader().ClientConfig()
+	if err != nil {
+		return nil, err
+	}
+	if f.WrapConfigFn != nil {
+		return f.WrapConfigFn(c), nil
+	}
+	return c, nil
+}
+
+// ToRawKubeConfigLoader binds config flag values to config overrides
+// Returns an interactive clientConfig if the password flag is enabled,
+// or a non-interactive clientConfig otherwise.
+func (f *ConfigFlags) ToRawKubeConfigLoader() clientcmd.ClientConfig {
+	if f.usePersistentConfig {
+		return f.toRawKubePersistentConfigLoader()
+	}
+	return f.toRawKubeConfigLoader()
+}
+
+func (f *ConfigFlags) toRawKubeConfigLoader() clientcmd.ClientConfig {
+	loadingRules := clientcmd.NewDefaultClientConfigLoadingRules()
+	// use the standard defaults for this client command
+	// DEPRECATED: remove and replace with something more accurate
+	loadingRules.DefaultClientConfig = &clientcmd.DefaultClientConfig
+
+	if f.KubeConfig != nil {
+		loadingRules.ExplicitPath = *f.KubeConfig
+	}
+
+	overrides := &clientcmd.ConfigOverrides{ClusterDefaults: clientcmd.ClusterDefaults}
+
+	// bind auth info flag values to overrides
+	if f.CertFile != nil {
+		overrides.AuthInfo.ClientCertificate = *f.CertFile
+		overrides.AuthInfo.ClientCertificateData = nil
+	}
+	if f.KeyFile != nil {
+		overrides.AuthInfo.ClientKey = *f.KeyFile
+		overrides.AuthInfo.ClientKeyData = nil
+	}
+	if f.BearerToken != nil {
+		overrides.AuthInfo.Token = *f.BearerToken
+		overrides.AuthInfo.TokenFile = ""
+	}
+	if f.Impersonate != nil {
+		overrides.AuthInfo.Impersonate = *f.Impersonate
+	}
+	if f.ImpersonateUserExtra != nil && len(*f.ImpersonateUserExtra) > 0 {
+		userExtras := make(map[string][]string)
+		for _, extra := range *f.ImpersonateUserExtra {
+			parts := strings.SplitN(extra, "=", 2)
+			if len(parts) != 2 {
+				continue
+			}
+			key := parts[0]
+			value := parts[1]
+			userExtras[key] = append(userExtras[key], value)
+		}
+		overrides.AuthInfo.ImpersonateUserExtra = userExtras
+	}
+	if f.ImpersonateUID != nil {
+		overrides.AuthInfo.ImpersonateUID = *f.ImpersonateUID
+	}
+	if f.ImpersonateGroup != nil {
+		overrides.AuthInfo.ImpersonateGroups = *f.ImpersonateGroup
+	}
+	if f.Username != nil {
+		overrides.AuthInfo.Username = *f.Username
+	}
+	if f.Password != nil {
+		overrides.AuthInfo.Password = *f.Password
+	}
+
+	// bind cluster flags
+	if f.APIServer != nil {
+		overrides.ClusterInfo.Server = *f.APIServer
+	}
+	if f.TLSServerName != nil {
+		overrides.ClusterInfo.TLSServerName = *f.TLSServerName
+	}
+	if f.CAFile != nil {
+		overrides.ClusterInfo.CertificateAuthority = *f.CAFile
+	}
+	if f.Insecure != nil {
+		overrides.ClusterInfo.InsecureSkipTLSVerify = *f.Insecure
+	}
+	if f.DisableCompression != nil {
+		overrides.ClusterInfo.DisableCompression = *f.DisableCompression
+	}
+
+	// bind context flags
+	if f.Context != nil {
+		overrides.CurrentContext = *f.Context
+	}
+	if f.ClusterName != nil {
+		overrides.Context.Cluster = *f.ClusterName
+	}
+	if f.AuthInfoName != nil {
+		overrides.Context.AuthInfo = *f.AuthInfoName
+	}
+	if f.Namespace != nil {
+		overrides.Context.Namespace = *f.Namespace
+	}
+
+	if f.Timeout != nil {
+		overrides.Timeout = *f.Timeout
+	}
+
+	// we only have an interactive prompt when a password is allowed
+	if f.Password == nil {
+		return &clientConfig{clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, overrides)}
+	}
+	return &clientConfig{clientcmd.NewInteractiveDeferredLoadingClientConfig(loadingRules, overrides, os.Stdin)}
+}
+
+// toRawKubePersistentConfigLoader binds config flag values to config overrides
+// Returns a persistent clientConfig for propagation.
+func (f *ConfigFlags) toRawKubePersistentConfigLoader() clientcmd.ClientConfig {
+	f.clientConfigLock.Lock()
+	defer f.clientConfigLock.Unlock()
+
+	if f.clientConfig == nil {
+		f.clientConfig = f.toRawKubeConfigLoader()
+	}
+
+	return f.clientConfig
+}
+
+// ToDiscoveryClient implements RESTClientGetter.
+// Expects the AddFlags method to have been called.
+// Returns a CachedDiscoveryInterface using a computed RESTConfig.
+func (f *ConfigFlags) ToDiscoveryClient() (discovery.CachedDiscoveryInterface, error) {
+	if f.usePersistentConfig {
+		return f.toPersistentDiscoveryClient()
+	}
+	return f.toDiscoveryClient()
+}
+
+func (f *ConfigFlags) toPersistentDiscoveryClient() (discovery.CachedDiscoveryInterface, error) {
+	f.discoveryClientLock.Lock()
+	defer f.discoveryClientLock.Unlock()
+
+	if f.discoveryClient == nil {
+		discoveryClient, err := f.toDiscoveryClient()
+		if err != nil {
+			return nil, err
+		}
+		f.discoveryClient = discoveryClient
+	}
+	return f.discoveryClient, nil
+}
+
+func (f *ConfigFlags) toDiscoveryClient() (discovery.CachedDiscoveryInterface, error) {
+	config, err := f.ToRESTConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	config.Burst = f.discoveryBurst
+	config.QPS = f.discoveryQPS
+
+	cacheDir := getDefaultCacheDir()
+
+	// retrieve a user-provided value for the "cache-dir"
+	// override httpCacheDir and discoveryCacheDir if user-value is given.
+	// user-provided value has higher precedence than default
+	// and KUBECACHEDIR environment variable.
+	if f.CacheDir != nil && *f.CacheDir != "" && *f.CacheDir != getDefaultCacheDir() {
+		cacheDir = *f.CacheDir
+	}
+
+	httpCacheDir := filepath.Join(cacheDir, "http")
+	discoveryCacheDir := computeDiscoverCacheDir(filepath.Join(cacheDir, "discovery"), config.Host)
+
+	return diskcached.NewCachedDiscoveryClientForConfig(config, discoveryCacheDir, httpCacheDir, time.Duration(6*time.Hour))
+}
+
+// getDefaultCacheDir returns default caching directory path.
+// it first looks at KUBECACHEDIR env var if it is set, otherwise
+// it returns standard kube cache dir.
+func getDefaultCacheDir() string {
+	if kcd := os.Getenv("KUBECACHEDIR"); kcd != "" {
+		return kcd
+	}
+
+	return filepath.Join(homedir.HomeDir(), ".kube", "cache")
+}
+
+// ToRESTMapper returns a mapper.
+func (f *ConfigFlags) ToRESTMapper() (meta.RESTMapper, error) {
+	if f.usePersistentConfig {
+		return f.toPersistentRESTMapper()
+	}
+	return f.toRESTMapper()
+}
+
+func (f *ConfigFlags) toPersistentRESTMapper() (meta.RESTMapper, error) {
+	f.restMapperLock.Lock()
+	defer f.restMapperLock.Unlock()
+
+	if f.restMapper == nil {
+		restMapper, err := f.toRESTMapper()
+		if err != nil {
+			return nil, err
+		}
+		f.restMapper = restMapper
+	}
+	return f.restMapper, nil
+}
+
+func (f *ConfigFlags) toRESTMapper() (meta.RESTMapper, error) {
+	discoveryClient, err := f.ToDiscoveryClient()
+	if err != nil {
+		return nil, err
+	}
+
+	mapper := restmapper.NewDeferredDiscoveryRESTMapper(discoveryClient)
+	expander := restmapper.NewShortcutExpander(mapper, discoveryClient, func(a string) {
+		if f.warningPrinter != nil {
+			f.warningPrinter.Print(a)
+		}
+	})
+	return expander, nil
+}
+
+// AddFlags binds client configuration flags to a given flagset
+func (f *ConfigFlags) AddFlags(flags *pflag.FlagSet) {
+	if f.KubeConfig != nil {
+		flags.StringVar(f.KubeConfig, "kubeconfig", *f.KubeConfig, "Path to the kubeconfig file to use for CLI requests.")
+	}
+	if f.CacheDir != nil {
+		flags.StringVar(f.CacheDir, flagCacheDir, *f.CacheDir, "Default cache directory")
+	}
+
+	// add config options
+	if f.CertFile != nil {
+		flags.StringVar(f.CertFile, flagCertFile, *f.CertFile, "Path to a client certificate file for TLS")
+	}
+	if f.KeyFile != nil {
+		flags.StringVar(f.KeyFile, flagKeyFile, *f.KeyFile, "Path to a client key file for TLS")
+	}
+	if f.BearerToken != nil {
+		flags.StringVar(f.BearerToken, flagBearerToken, *f.BearerToken, "Bearer token for authentication to the API server")
+	}
+	if f.Impersonate != nil {
+		flags.StringVar(f.Impersonate, flagImpersonate, *f.Impersonate, "Username to impersonate for the operation. User could be a regular user or a service account in a namespace.")
+	}
+	if f.ImpersonateUID != nil {
+		flags.StringVar(f.ImpersonateUID, flagImpersonateUID, *f.ImpersonateUID, "UID to impersonate for the operation.")
+	}
+	if f.ImpersonateGroup != nil {
+		flags.StringArrayVar(f.ImpersonateGroup, flagImpersonateGroup, *f.ImpersonateGroup, "Group to impersonate for the operation, this flag can be repeated to specify multiple groups.")
+	}
+	if f.ImpersonateUserExtra != nil {
+		flags.StringArrayVar(f.ImpersonateUserExtra, flagImpersonateUserExtra, *f.ImpersonateUserExtra, "User extras to impersonate for the operation, this flag can be repeated to specify multiple values for the same key.")
+	}
+	if f.Username != nil {
+		flags.StringVar(f.Username, flagUsername, *f.Username, "Username for basic authentication to the API server")
+	}
+	if f.Password != nil {
+		flags.StringVar(f.Password, flagPassword, *f.Password, "Password for basic authentication to the API server")
+	}
+	if f.ClusterName != nil {
+		flags.StringVar(f.ClusterName, flagClusterName, *f.ClusterName, "The name of the kubeconfig cluster to use")
+	}
+	if f.AuthInfoName != nil {
+		flags.StringVar(f.AuthInfoName, flagAuthInfoName, *f.AuthInfoName, "The name of the kubeconfig user to use")
+	}
+	if f.Namespace != nil {
+		flags.StringVarP(f.Namespace, flagNamespace, "n", *f.Namespace, "If present, the namespace scope for this CLI request")
+	}
+	if f.Context != nil {
+		flags.StringVar(f.Context, flagContext, *f.Context, "The name of the kubeconfig context to use")
+	}
+
+	if f.APIServer != nil {
+		flags.StringVarP(f.APIServer, flagAPIServer, "s", *f.APIServer, "The address and port of the Kubernetes API server")
+	}
+	if f.TLSServerName != nil {
+		flags.StringVar(f.TLSServerName, flagTLSServerName, *f.TLSServerName, "Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used")
+	}
+	if f.Insecure != nil {
+		flags.BoolVar(f.Insecure, flagInsecure, *f.Insecure, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
+	}
+	if f.CAFile != nil {
+		flags.StringVar(f.CAFile, flagCAFile, *f.CAFile, "Path to a cert file for the certificate authority")
+	}
+	if f.Timeout != nil {
+		flags.StringVar(f.Timeout, flagTimeout, *f.Timeout, "The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests.")
+	}
+	if f.DisableCompression != nil {
+		flags.BoolVar(f.DisableCompression, flagDisableCompression, *f.DisableCompression, "If true, opt-out of response compression for all requests to the server")
+	}
+}
+
+// WithDeprecatedPasswordFlag enables the username and password config flags
+func (f *ConfigFlags) WithDeprecatedPasswordFlag() *ConfigFlags {
+	f.Username = ptr.To("")
+	f.Password = ptr.To("")
+	return f
+}
+
+// WithDiscoveryBurst sets the RESTClient burst for discovery.
+func (f *ConfigFlags) WithDiscoveryBurst(discoveryBurst int) *ConfigFlags {
+	f.discoveryBurst = discoveryBurst
+	return f
+}
+
+// WithDiscoveryQPS sets the RESTClient QPS for discovery.
+func (f *ConfigFlags) WithDiscoveryQPS(discoveryQPS float32) *ConfigFlags {
+	f.discoveryQPS = discoveryQPS
+	return f
+}
+
+// WithWrapConfigFn allows providing a wrapper function for the client Config.
+func (f *ConfigFlags) WithWrapConfigFn(wrapConfigFn func(*rest.Config) *rest.Config) *ConfigFlags {
+	f.WrapConfigFn = wrapConfigFn
+	return f
+}
+
+// WithWarningPrinter initializes WarningPrinter with the given IOStreams
+func (f *ConfigFlags) WithWarningPrinter(ioStreams genericiooptions.IOStreams) *ConfigFlags {
+	f.warningPrinter = printers.NewWarningPrinter(ioStreams.ErrOut, printers.WarningPrinterOptions{Color: printers.AllowsColorOutput(ioStreams.ErrOut)})
+	return f
+}
+
+// NewConfigFlags returns ConfigFlags with default values set
+func NewConfigFlags(usePersistentConfig bool) *ConfigFlags {
+	impersonateGroup := []string{}
+	impersonateUserExtra := []string{}
+	insecure := false
+	disableCompression := false
+
+	return &ConfigFlags{
+		Insecure:   &insecure,
+		Timeout:    ptr.To("0"),
+		KubeConfig: ptr.To(""),
+
+		CacheDir:             ptr.To(getDefaultCacheDir()),
+		ClusterName:          ptr.To(""),
+		AuthInfoName:         ptr.To(""),
+		Context:              ptr.To(""),
+		Namespace:            ptr.To(""),
+		APIServer:            ptr.To(""),
+		TLSServerName:        ptr.To(""),
+		CertFile:             ptr.To(""),
+		KeyFile:              ptr.To(""),
+		CAFile:               ptr.To(""),
+		BearerToken:          ptr.To(""),
+		Impersonate:          ptr.To(""),
+		ImpersonateUID:       ptr.To(""),
+		ImpersonateGroup:     &impersonateGroup,
+		ImpersonateUserExtra: &impersonateUserExtra,
+		DisableCompression:   &disableCompression,
+
+		usePersistentConfig: usePersistentConfig,
+		// The more groups you have, the more discovery requests you need to make.
+		// with a burst of 300, we will not be rate-limiting for most clusters but
+		// the safeguard will still be here. This config is only used for discovery.
+		discoveryBurst: 300,
+	}
+}
+
+// overlyCautiousIllegalFileCharacters matches characters that *might* not be supported.  Windows is really restrictive, so this is really restrictive
+var overlyCautiousIllegalFileCharacters = regexp.MustCompile(`[^(\w/.)]`)
+
+// computeDiscoverCacheDir takes the parentDir and the host and comes up with a "usually non-colliding" name.
+func computeDiscoverCacheDir(parentDir, host string) string {
+	// strip the optional scheme from host if its there:
+	schemelessHost := strings.Replace(strings.Replace(host, "https://", "", 1), "http://", "", 1)
+	// now do a simple collapse of non-AZ09 characters.  Collisions are possible but unlikely.  Even if we do collide the problem is short lived
+	safeHost := overlyCautiousIllegalFileCharacters.ReplaceAllString(schemelessHost, "_")
+	return filepath.Join(parentDir, safeHost)
+}
@@ -0,0 +1,127 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/restmapper"
+	"k8s.io/client-go/tools/clientcmd"
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
+)
+
+// TestConfigFlags contains clientConfig struct
+// and interfaces that implements RESTClientGetter
+type TestConfigFlags struct {
+	clientConfig    clientcmd.ClientConfig
+	discoveryClient discovery.CachedDiscoveryInterface
+	restMapper      meta.RESTMapper
+}
+
+// ToRawKubeConfigLoader implements RESTClientGetter
+// Returns a clientconfig if it's set
+func (f *TestConfigFlags) ToRawKubeConfigLoader() clientcmd.ClientConfig {
+	if f.clientConfig == nil {
+		panic("attempt to obtain a test RawKubeConfigLoader with no clientConfig specified")
+	}
+	return f.clientConfig
+}
+
+// ToRESTConfig implements RESTClientGetter.
+// Returns a REST client configuration based on a provided path
+// to a .kubeconfig file, loading rules, and config flag overrides.
+// Expects the AddFlags method to have been called.
+func (f *TestConfigFlags) ToRESTConfig() (*rest.Config, error) {
+	return f.ToRawKubeConfigLoader().ClientConfig()
+}
+
+// ToDiscoveryClient implements RESTClientGetter.
+// Returns a CachedDiscoveryInterface
+func (f *TestConfigFlags) ToDiscoveryClient() (discovery.CachedDiscoveryInterface, error) {
+	return f.discoveryClient, nil
+}
+
+// ToRESTMapper implements RESTClientGetter.
+// Returns a mapper.
+func (f *TestConfigFlags) ToRESTMapper() (meta.RESTMapper, error) {
+	if f.restMapper != nil {
+		return f.restMapper, nil
+	}
+	if f.discoveryClient != nil {
+		mapper := restmapper.NewDeferredDiscoveryRESTMapper(f.discoveryClient)
+		expander := restmapper.NewShortcutExpander(mapper, f.discoveryClient, nil)
+		return expander, nil
+	}
+	return nil, fmt.Errorf("no restmapper")
+}
+
+// WithClientConfig sets the clientConfig flag
+func (f *TestConfigFlags) WithClientConfig(clientConfig clientcmd.ClientConfig) *TestConfigFlags {
+	f.clientConfig = clientConfig
+	return f
+}
+
+// WithRESTMapper sets the restMapper flag
+func (f *TestConfigFlags) WithRESTMapper(mapper meta.RESTMapper) *TestConfigFlags {
+	f.restMapper = mapper
+	return f
+}
+
+// WithDiscoveryClient sets the discoveryClient flag
+func (f *TestConfigFlags) WithDiscoveryClient(c discovery.CachedDiscoveryInterface) *TestConfigFlags {
+	f.discoveryClient = c
+	return f
+}
+
+// WithNamespace sets the clientConfig flag by modifying delagate and namespace
+func (f *TestConfigFlags) WithNamespace(ns string) *TestConfigFlags {
+	if f.clientConfig == nil {
+		panic("attempt to obtain a test RawKubeConfigLoader with no clientConfig specified")
+	}
+	f.clientConfig = &namespacedClientConfig{
+		delegate:  f.clientConfig,
+		namespace: ns,
+	}
+	return f
+}
+
+// NewTestConfigFlags builds a TestConfigFlags struct to test ConfigFlags
+func NewTestConfigFlags() *TestConfigFlags {
+	return &TestConfigFlags{}
+}
+
+type namespacedClientConfig struct {
+	delegate  clientcmd.ClientConfig
+	namespace string
+}
+
+func (c *namespacedClientConfig) Namespace() (string, bool, error) {
+	return c.namespace, len(c.namespace) > 0, nil
+}
+
+func (c *namespacedClientConfig) RawConfig() (clientcmdapi.Config, error) {
+	return c.delegate.RawConfig()
+}
+func (c *namespacedClientConfig) ClientConfig() (*rest.Config, error) {
+	return c.delegate.ClientConfig()
+}
+func (c *namespacedClientConfig) ConfigAccess() clientcmd.ConfigAccess {
+	return c.delegate.ConfigAccess()
+}
@@ -0,0 +1,19 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package genericclioptions contains flags which can be added to your command, bound, completed, and produce
+// useful helper functions.  Nothing in this package can depend on kube/kube
+package genericclioptions
@@ -0,0 +1,82 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"strings"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+
+	"k8s.io/cli-runtime/pkg/resource"
+)
+
+// FileNameFlags are flags for processing files.
+// Usage of this struct by itself is discouraged.
+// These flags are composed by ResourceBuilderFlags
+// which should be used instead.
+type FileNameFlags struct {
+	Usage string
+
+	Filenames *[]string
+	Kustomize *string
+	Recursive *bool
+}
+
+// ToOptions creates a new FileNameOptions struct and sets FilenameOptions based on FileNameflags
+func (o *FileNameFlags) ToOptions() resource.FilenameOptions {
+	options := resource.FilenameOptions{}
+
+	if o == nil {
+		return options
+	}
+
+	if o.Recursive != nil {
+		options.Recursive = *o.Recursive
+	}
+	if o.Filenames != nil {
+		options.Filenames = *o.Filenames
+	}
+	if o.Kustomize != nil {
+		options.Kustomize = *o.Kustomize
+	}
+
+	return options
+}
+
+// AddFlags binds file name flags to a given flagset
+func (o *FileNameFlags) AddFlags(flags *pflag.FlagSet) {
+	if o == nil {
+		return
+	}
+
+	if o.Recursive != nil {
+		flags.BoolVarP(o.Recursive, "recursive", "R", *o.Recursive, "Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory.")
+	}
+	if o.Filenames != nil {
+		flags.StringSliceVarP(o.Filenames, "filename", "f", *o.Filenames, o.Usage)
+		annotations := make([]string, 0, len(resource.FileExtensions))
+		for _, ext := range resource.FileExtensions {
+			annotations = append(annotations, strings.TrimLeft(ext, "."))
+		}
+		flags.SetAnnotation("filename", cobra.BashCompFilenameExt, annotations)
+	}
+	if o.Kustomize != nil {
+		flags.StringVarP(o.Kustomize, "kustomize", "k", *o.Kustomize,
+			"Process a kustomization directory. This flag can't be used together with -f or -R.")
+	}
+}
@@ -0,0 +1,54 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"bytes"
+	"io"
+
+	"k8s.io/cli-runtime/pkg/genericiooptions"
+)
+
+// IOStreams provides the standard names for iostreams.  This is useful for embedding and for unit testing.
+// Inconsistent and different names make it hard to read and review code
+// DEPRECATED: use genericiooptions.IOStreams
+type IOStreams = genericiooptions.IOStreams
+
+// NewTestIOStreams returns a valid IOStreams and in, out, errout buffers for unit tests
+// DEPRECATED: use genericiooptions.NewTestIOStreams
+func NewTestIOStreams() (genericiooptions.IOStreams, *bytes.Buffer, *bytes.Buffer, *bytes.Buffer) {
+	in := &bytes.Buffer{}
+	out := &bytes.Buffer{}
+	errOut := &bytes.Buffer{}
+
+	return IOStreams{
+		In:     in,
+		Out:    out,
+		ErrOut: errOut,
+	}, in, out, errOut
+}
+
+// NewTestIOStreamsDiscard returns a valid IOStreams that just discards
+// DEPRECATED: use genericiooptions.NewTestIOStreamsDiscard
+func NewTestIOStreamsDiscard() genericiooptions.IOStreams {
+	in := &bytes.Buffer{}
+	return IOStreams{
+		In:     in,
+		Out:    io.Discard,
+		ErrOut: io.Discard,
+	}
+}
@@ -0,0 +1,94 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"os"
+	"slices"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	"k8s.io/cli-runtime/pkg/printers"
+)
+
+// AllowedFormats returns slice of string of allowed JSONYaml printing format
+func (f *JSONYamlPrintFlags) AllowedFormats() []string {
+	if f == nil {
+		return []string{}
+	}
+	formats := []string{"json", "yaml"}
+	// We can't use the cmdutil pkg directly because of import cycle.
+	if strings.ToLower(os.Getenv("KUBECTL_KYAML")) != "false" {
+		formats = append(formats, "kyaml")
+	}
+	return formats
+}
+
+// JSONYamlPrintFlags provides default flags necessary for json/yaml printing.
+// Given the following flag values, a printer can be requested that knows
+// how to handle printing based on these values.
+type JSONYamlPrintFlags struct {
+	ShowManagedFields bool
+}
+
+// ToPrinter receives an outputFormat and returns a printer capable of
+// handling --output=(yaml|json) printing.
+// Returns false if the specified outputFormat does not match a supported format.
+// Supported Format types can be found in pkg/printers/printers.go
+func (f *JSONYamlPrintFlags) ToPrinter(outputFormat string) (printers.ResourcePrinter, error) {
+	var printer printers.ResourcePrinter
+
+	outputFormat = strings.ToLower(outputFormat)
+
+	valid := f.AllowedFormats()
+	if !slices.Contains(valid, outputFormat) {
+		return nil, NoCompatiblePrinterError{OutputFormat: &outputFormat, AllowedFormats: valid}
+	}
+
+	switch outputFormat {
+	case "json":
+		printer = &printers.JSONPrinter{}
+	case "yaml":
+		printer = &printers.YAMLPrinter{}
+	case "kyaml":
+		printer = &printers.KYAMLPrinter{}
+	default:
+		return nil, NoCompatiblePrinterError{OutputFormat: &outputFormat, AllowedFormats: f.AllowedFormats()}
+	}
+
+	if !f.ShowManagedFields {
+		printer = &printers.OmitManagedFieldsPrinter{Delegate: printer}
+	}
+	return printer, nil
+}
+
+// AddFlags receives a *cobra.Command reference and binds
+// flags related to JSON or Yaml printing to it
+func (f *JSONYamlPrintFlags) AddFlags(c *cobra.Command) {
+	if f == nil {
+		return
+	}
+
+	c.Flags().BoolVar(&f.ShowManagedFields, "show-managed-fields", f.ShowManagedFields, "If true, keep the managedFields when printing objects in JSON or YAML format.")
+}
+
+// NewJSONYamlPrintFlags returns flags associated with
+// yaml or json printing, with default values set.
+func NewJSONYamlPrintFlags() *JSONYamlPrintFlags {
+	return &JSONYamlPrintFlags{}
+}
@@ -0,0 +1,137 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"fmt"
+	"os"
+	"sort"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	"k8s.io/cli-runtime/pkg/printers"
+)
+
+// templates are logically optional for specifying a format.
+// this allows a user to specify a template format value
+// as --output=jsonpath=
+var jsonFormats = map[string]bool{
+	"jsonpath":         true,
+	"jsonpath-file":    true,
+	"jsonpath-as-json": true,
+}
+
+// JSONPathPrintFlags provides default flags necessary for template printing.
+// Given the following flag values, a printer can be requested that knows
+// how to handle printing based on these values.
+type JSONPathPrintFlags struct {
+	// indicates if it is OK to ignore missing keys for rendering
+	// an output template.
+	AllowMissingKeys *bool
+	TemplateArgument *string
+}
+
+// AllowedFormats returns slice of string of allowed JSONPath printing format
+func (f *JSONPathPrintFlags) AllowedFormats() []string {
+	formats := make([]string, 0, len(jsonFormats))
+	for format := range jsonFormats {
+		formats = append(formats, format)
+	}
+	sort.Strings(formats)
+	return formats
+}
+
+// ToPrinter receives an templateFormat and returns a printer capable of
+// handling --template format printing.
+// Returns false if the specified templateFormat does not match a template format.
+func (f *JSONPathPrintFlags) ToPrinter(templateFormat string) (printers.ResourcePrinter, error) {
+	if (f.TemplateArgument == nil || len(*f.TemplateArgument) == 0) && len(templateFormat) == 0 {
+		return nil, NoCompatiblePrinterError{Options: f, OutputFormat: &templateFormat}
+	}
+
+	templateValue := ""
+
+	if f.TemplateArgument == nil || len(*f.TemplateArgument) == 0 {
+		for format := range jsonFormats {
+			format = format + "="
+			if strings.HasPrefix(templateFormat, format) {
+				templateValue = templateFormat[len(format):]
+				templateFormat = format[:len(format)-1]
+				break
+			}
+		}
+	} else {
+		templateValue = *f.TemplateArgument
+	}
+
+	if _, supportedFormat := jsonFormats[templateFormat]; !supportedFormat {
+		return nil, NoCompatiblePrinterError{OutputFormat: &templateFormat, AllowedFormats: f.AllowedFormats()}
+	}
+
+	if len(templateValue) == 0 {
+		return nil, fmt.Errorf("template format specified but no template given")
+	}
+
+	if templateFormat == "jsonpath-file" {
+		data, err := os.ReadFile(templateValue)
+		if err != nil {
+			return nil, fmt.Errorf("error reading --template %s, %v", templateValue, err)
+		}
+
+		templateValue = string(data)
+	}
+
+	p, err := printers.NewJSONPathPrinter(templateValue)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing jsonpath %s, %v", templateValue, err)
+	}
+
+	allowMissingKeys := true
+	if f.AllowMissingKeys != nil {
+		allowMissingKeys = *f.AllowMissingKeys
+	}
+
+	p.AllowMissingKeys(allowMissingKeys)
+
+	if templateFormat == "jsonpath-as-json" {
+		p.EnableJSONOutput(true)
+	}
+
+	return p, nil
+}
+
+// AddFlags receives a *cobra.Command reference and binds
+// flags related to template printing to it
+func (f *JSONPathPrintFlags) AddFlags(c *cobra.Command) {
+	if f.TemplateArgument != nil {
+		c.Flags().StringVar(f.TemplateArgument, "template", *f.TemplateArgument, "Template string or path to template file to use when --output=jsonpath, --output=jsonpath-file.")
+		c.MarkFlagFilename("template")
+	}
+	if f.AllowMissingKeys != nil {
+		c.Flags().BoolVar(f.AllowMissingKeys, "allow-missing-template-keys", *f.AllowMissingKeys, "If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.")
+	}
+}
+
+// NewJSONPathPrintFlags returns flags associated with
+// --template printing, with default values set.
+func NewJSONPathPrintFlags(templateValue string, allowMissingKeys bool) *JSONPathPrintFlags {
+	return &JSONPathPrintFlags{
+		TemplateArgument: &templateValue,
+		AllowMissingKeys: &allowMissingKeys,
+	}
+}
@@ -0,0 +1,94 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"github.com/spf13/cobra"
+
+	"k8s.io/cli-runtime/pkg/printers"
+)
+
+// KubeTemplatePrintFlags composes print flags that provide both a JSONPath and a go-template printer.
+// This is necessary if dealing with cases that require support both both printers, since both sets of flags
+// require overlapping flags.
+type KubeTemplatePrintFlags struct {
+	GoTemplatePrintFlags *GoTemplatePrintFlags
+	JSONPathPrintFlags   *JSONPathPrintFlags
+
+	AllowMissingKeys *bool
+	TemplateArgument *string
+}
+
+// AllowedFormats returns slice of string of allowed GoTemplete and JSONPathPrint printing formats
+func (f *KubeTemplatePrintFlags) AllowedFormats() []string {
+	if f == nil {
+		return []string{}
+	}
+	return append(f.GoTemplatePrintFlags.AllowedFormats(), f.JSONPathPrintFlags.AllowedFormats()...)
+}
+
+// ToPrinter receives an outputFormat and returns a printer capable of
+// handling --template printing.
+// Returns false if the specified outputFormat does not match a supported format.
+// Supported Format types can be found in pkg/printers/printers.go
+func (f *KubeTemplatePrintFlags) ToPrinter(outputFormat string) (printers.ResourcePrinter, error) {
+	if f == nil {
+		return nil, NoCompatiblePrinterError{}
+	}
+
+	if p, err := f.JSONPathPrintFlags.ToPrinter(outputFormat); !IsNoCompatiblePrinterError(err) {
+		return p, err
+	}
+	return f.GoTemplatePrintFlags.ToPrinter(outputFormat)
+}
+
+// AddFlags receives a *cobra.Command reference and binds
+// flags related to template printing to it
+func (f *KubeTemplatePrintFlags) AddFlags(c *cobra.Command) {
+	if f == nil {
+		return
+	}
+
+	if f.TemplateArgument != nil {
+		c.Flags().StringVar(f.TemplateArgument, "template", *f.TemplateArgument, "Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].")
+		c.MarkFlagFilename("template")
+	}
+	if f.AllowMissingKeys != nil {
+		c.Flags().BoolVar(f.AllowMissingKeys, "allow-missing-template-keys", *f.AllowMissingKeys, "If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.")
+	}
+}
+
+// NewKubeTemplatePrintFlags returns flags associated with
+// --template printing, with default values set.
+func NewKubeTemplatePrintFlags() *KubeTemplatePrintFlags {
+	allowMissingKeysPtr := true
+	templateArgPtr := ""
+
+	return &KubeTemplatePrintFlags{
+		GoTemplatePrintFlags: &GoTemplatePrintFlags{
+			TemplateArgument: &templateArgPtr,
+			AllowMissingKeys: &allowMissingKeysPtr,
+		},
+		JSONPathPrintFlags: &JSONPathPrintFlags{
+			TemplateArgument: &templateArgPtr,
+			AllowMissingKeys: &allowMissingKeysPtr,
+		},
+
+		TemplateArgument: &templateArgPtr,
+		AllowMissingKeys: &allowMissingKeysPtr,
+	}
+}
@@ -0,0 +1,83 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	"k8s.io/cli-runtime/pkg/printers"
+)
+
+// NamePrintFlags provides default flags necessary for printing
+// a resource's fully-qualified Kind.group/name, or a successful
+// message about that resource if an Operation is provided.
+type NamePrintFlags struct {
+	// Operation describes the name of the action that
+	// took place on an object, to be included in the
+	// finalized "successful" message.
+	Operation string
+}
+
+// Complete sets NamePrintFlags operation flag from successTemplate
+func (f *NamePrintFlags) Complete(successTemplate string) error {
+	f.Operation = fmt.Sprintf(successTemplate, f.Operation)
+	return nil
+}
+
+// AllowedFormats returns slice of string of allowed Name printing format
+func (f *NamePrintFlags) AllowedFormats() []string {
+	if f == nil {
+		return []string{}
+	}
+	return []string{"name"}
+}
+
+// ToPrinter receives an outputFormat and returns a printer capable of
+// handling --output=name printing.
+// Returns false if the specified outputFormat does not match a supported format.
+// Supported format types can be found in pkg/printers/printers.go
+func (f *NamePrintFlags) ToPrinter(outputFormat string) (printers.ResourcePrinter, error) {
+	namePrinter := &printers.NamePrinter{
+		Operation: f.Operation,
+	}
+
+	outputFormat = strings.ToLower(outputFormat)
+	switch outputFormat {
+	case "name":
+		namePrinter.ShortOutput = true
+		fallthrough
+	case "":
+		return namePrinter, nil
+	default:
+		return nil, NoCompatiblePrinterError{OutputFormat: &outputFormat, AllowedFormats: f.AllowedFormats()}
+	}
+}
+
+// AddFlags receives a *cobra.Command reference and binds
+// flags related to name printing to it
+func (f *NamePrintFlags) AddFlags(c *cobra.Command) {}
+
+// NewNamePrintFlags returns flags associated with
+// --name printing, with default values set.
+func NewNamePrintFlags(operation string) *NamePrintFlags {
+	return &NamePrintFlags{
+		Operation: operation,
+	}
+}
@@ -0,0 +1,171 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/cli-runtime/pkg/printers"
+)
+
+// NoCompatiblePrinterError is a struct that contains error information.
+// It will be constructed when a invalid printing format is provided
+type NoCompatiblePrinterError struct {
+	OutputFormat   *string
+	AllowedFormats []string
+	Options        interface{}
+}
+
+func (e NoCompatiblePrinterError) Error() string {
+	output := ""
+	if e.OutputFormat != nil {
+		output = *e.OutputFormat
+	}
+
+	sort.Strings(e.AllowedFormats)
+	return fmt.Sprintf("unable to match a printer suitable for the output format %q, allowed formats are: %s", output, strings.Join(e.AllowedFormats, ","))
+}
+
+// IsNoCompatiblePrinterError returns true if it is a not a compatible printer
+// otherwise it will return false
+func IsNoCompatiblePrinterError(err error) bool {
+	if err == nil {
+		return false
+	}
+
+	_, ok := err.(NoCompatiblePrinterError)
+	return ok
+}
+
+// PrintFlags composes common printer flag structs
+// used across all commands, and provides a method
+// of retrieving a known printer based on flag values provided.
+type PrintFlags struct {
+	JSONYamlPrintFlags   *JSONYamlPrintFlags
+	NamePrintFlags       *NamePrintFlags
+	TemplatePrinterFlags *KubeTemplatePrintFlags
+
+	TypeSetterPrinter *printers.TypeSetterPrinter
+
+	OutputFormat *string
+
+	// OutputFlagSpecified indicates whether the user specifically requested a certain kind of output.
+	// Using this function allows a sophisticated caller to change the flag binding logic if they so desire.
+	OutputFlagSpecified func() bool
+}
+
+// Complete sets NamePrintFlags operation flag from successTemplate
+func (f *PrintFlags) Complete(successTemplate string) error {
+	return f.NamePrintFlags.Complete(successTemplate)
+}
+
+// AllowedFormats returns slice of string of allowed JSONYaml/Name/Template printing format
+func (f *PrintFlags) AllowedFormats() []string {
+	ret := []string{}
+	ret = append(ret, f.JSONYamlPrintFlags.AllowedFormats()...)
+	ret = append(ret, f.NamePrintFlags.AllowedFormats()...)
+	ret = append(ret, f.TemplatePrinterFlags.AllowedFormats()...)
+	return ret
+}
+
+// ToPrinter returns a printer capable of
+// handling --output or --template printing.
+// Returns false if the specified outputFormat does not match a supported format.
+// Supported format types can be found in pkg/printers/printers.go
+func (f *PrintFlags) ToPrinter() (printers.ResourcePrinter, error) {
+	outputFormat := ""
+	if f.OutputFormat != nil {
+		outputFormat = *f.OutputFormat
+	}
+	// For backwards compatibility we want to support a --template argument given, even when no --output format is provided.
+	// If no explicit output format has been provided via the --output flag, fallback
+	// to honoring the --template argument.
+	templateFlagSpecified := f.TemplatePrinterFlags != nil &&
+		f.TemplatePrinterFlags.TemplateArgument != nil &&
+		len(*f.TemplatePrinterFlags.TemplateArgument) > 0
+	outputFlagSpecified := f.OutputFlagSpecified != nil && f.OutputFlagSpecified()
+	if templateFlagSpecified && !outputFlagSpecified {
+		outputFormat = "go-template"
+	}
+
+	if f.JSONYamlPrintFlags != nil {
+		if p, err := f.JSONYamlPrintFlags.ToPrinter(outputFormat); !IsNoCompatiblePrinterError(err) {
+			return f.TypeSetterPrinter.WrapToPrinter(p, err)
+		}
+	}
+
+	if f.NamePrintFlags != nil {
+		if p, err := f.NamePrintFlags.ToPrinter(outputFormat); !IsNoCompatiblePrinterError(err) {
+			return f.TypeSetterPrinter.WrapToPrinter(p, err)
+		}
+	}
+
+	if f.TemplatePrinterFlags != nil {
+		if p, err := f.TemplatePrinterFlags.ToPrinter(outputFormat); !IsNoCompatiblePrinterError(err) {
+			return f.TypeSetterPrinter.WrapToPrinter(p, err)
+		}
+	}
+
+	return nil, NoCompatiblePrinterError{OutputFormat: f.OutputFormat, AllowedFormats: f.AllowedFormats()}
+}
+
+// AddFlags receives a *cobra.Command reference and binds
+// flags related to JSON/Yaml/Name/Template printing to it
+func (f *PrintFlags) AddFlags(cmd *cobra.Command) {
+	f.JSONYamlPrintFlags.AddFlags(cmd)
+	f.NamePrintFlags.AddFlags(cmd)
+	f.TemplatePrinterFlags.AddFlags(cmd)
+
+	if f.OutputFormat != nil {
+		cmd.Flags().StringVarP(f.OutputFormat, "output", "o", *f.OutputFormat, fmt.Sprintf(`Output format. One of: (%s).`, strings.Join(f.AllowedFormats(), ", ")))
+		if f.OutputFlagSpecified == nil {
+			f.OutputFlagSpecified = func() bool {
+				return cmd.Flag("output").Changed
+			}
+		}
+	}
+}
+
+// WithDefaultOutput sets a default output format if one is not provided through a flag value
+func (f *PrintFlags) WithDefaultOutput(output string) *PrintFlags {
+	f.OutputFormat = &output
+	return f
+}
+
+// WithTypeSetter sets a wrapper than will surround the returned printer with a printer to type resources
+func (f *PrintFlags) WithTypeSetter(scheme *runtime.Scheme) *PrintFlags {
+	f.TypeSetterPrinter = printers.NewTypeSetter(scheme)
+	return f
+}
+
+// NewPrintFlags returns a default *PrintFlags
+func NewPrintFlags(operation string) *PrintFlags {
+	outputFormat := ""
+
+	return &PrintFlags{
+		OutputFormat: &outputFormat,
+
+		JSONYamlPrintFlags:   NewJSONYamlPrintFlags(),
+		NamePrintFlags:       NewNamePrintFlags(operation),
+		TemplatePrinterFlags: NewKubeTemplatePrintFlags(),
+	}
+}
@@ -0,0 +1,201 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	jsonpatch "gopkg.in/evanphx/json-patch.v4"
+
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/json"
+)
+
+// ChangeCauseAnnotation is the annotation indicating a guess at "why" something was changed
+const ChangeCauseAnnotation = "kubernetes.io/change-cause"
+
+// RecordFlags contains all flags associated with the "--record" operation
+type RecordFlags struct {
+	// Record indicates the state of the recording flag.  It is a pointer so a caller can opt out or rebind
+	Record *bool
+
+	changeCause string
+}
+
+// ToRecorder returns a ChangeCause recorder if --record=false was not
+// explicitly given by the user
+func (f *RecordFlags) ToRecorder() (Recorder, error) {
+	if f == nil {
+		return NoopRecorder{}, nil
+	}
+
+	shouldRecord := false
+	if f.Record != nil {
+		shouldRecord = *f.Record
+	}
+
+	// if flag was explicitly set to false by the user,
+	// do not record
+	if !shouldRecord {
+		return NoopRecorder{}, nil
+	}
+
+	return &ChangeCauseRecorder{
+		changeCause: f.changeCause,
+	}, nil
+}
+
+// Complete is called before the command is run, but after it is invoked to finish the state of the struct before use.
+func (f *RecordFlags) Complete(cmd *cobra.Command) error {
+	if f == nil {
+		return nil
+	}
+
+	f.changeCause = parseCommandArguments(cmd)
+	return nil
+}
+
+// CompleteWithChangeCause alters changeCause value with a new cause
+func (f *RecordFlags) CompleteWithChangeCause(cause string) error {
+	if f == nil {
+		return nil
+	}
+
+	f.changeCause = cause
+	return nil
+}
+
+// AddFlags binds the requested flags to the provided flagset
+// TODO have this only take a flagset
+func (f *RecordFlags) AddFlags(cmd *cobra.Command) {
+	if f == nil {
+		return
+	}
+
+	if f.Record != nil {
+		cmd.Flags().BoolVar(f.Record, "record", *f.Record, "Record current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists.")
+		cmd.Flags().MarkDeprecated("record", "--record will be removed in the future")
+	}
+}
+
+// NewRecordFlags provides a RecordFlags with reasonable default values set for use
+func NewRecordFlags() *RecordFlags {
+	record := false
+
+	return &RecordFlags{
+		Record: &record,
+	}
+}
+
+// Recorder is used to record why a runtime.Object was changed in an annotation.
+type Recorder interface {
+	// Record records why a runtime.Object was changed in an annotation.
+	Record(runtime.Object) error
+	MakeRecordMergePatch(runtime.Object) ([]byte, error)
+}
+
+// NoopRecorder does nothing.  It is a "do nothing" that can be returned so code doesn't switch on it.
+type NoopRecorder struct{}
+
+// Record implements Recorder
+func (r NoopRecorder) Record(obj runtime.Object) error {
+	return nil
+}
+
+// MakeRecordMergePatch implements Recorder
+func (r NoopRecorder) MakeRecordMergePatch(obj runtime.Object) ([]byte, error) {
+	return nil, nil
+}
+
+// ChangeCauseRecorder annotates a "change-cause" to an input runtime object
+type ChangeCauseRecorder struct {
+	changeCause string
+}
+
+// Record annotates a "change-cause" to a given info if either "shouldRecord" is true,
+// or the resource info previously contained a "change-cause" annotation.
+func (r *ChangeCauseRecorder) Record(obj runtime.Object) error {
+	accessor, err := meta.Accessor(obj)
+	if err != nil {
+		return err
+	}
+	annotations := accessor.GetAnnotations()
+	if annotations == nil {
+		annotations = make(map[string]string)
+	}
+	annotations[ChangeCauseAnnotation] = r.changeCause
+	accessor.SetAnnotations(annotations)
+	return nil
+}
+
+// MakeRecordMergePatch produces a merge patch for updating the recording annotation.
+func (r *ChangeCauseRecorder) MakeRecordMergePatch(obj runtime.Object) ([]byte, error) {
+	// copy so we don't mess with the original
+	objCopy := obj.DeepCopyObject()
+	if err := r.Record(objCopy); err != nil {
+		return nil, err
+	}
+
+	oldData, err := json.Marshal(obj)
+	if err != nil {
+		return nil, err
+	}
+	newData, err := json.Marshal(objCopy)
+	if err != nil {
+		return nil, err
+	}
+
+	return jsonpatch.CreateMergePatch(oldData, newData)
+}
+
+// parseCommandArguments will stringify and return all environment arguments ie. a command run by a client
+// using the factory.
+// Set showSecrets false to filter out stuff like secrets.
+func parseCommandArguments(cmd *cobra.Command) string {
+	if len(os.Args) == 0 {
+		return ""
+	}
+
+	flags := ""
+	parseFunc := func(flag *pflag.Flag, value string) error {
+		flags = flags + " --" + flag.Name
+		if set, ok := flag.Annotations["classified"]; !ok || len(set) == 0 {
+			flags = flags + "=" + value
+		} else {
+			flags = flags + "=CLASSIFIED"
+		}
+		return nil
+	}
+	var err error
+	err = cmd.Flags().ParseAll(os.Args[1:], parseFunc)
+	if err != nil || !cmd.Flags().Parsed() {
+		return ""
+	}
+
+	args := ""
+	if arguments := cmd.Flags().Args(); len(arguments) > 0 {
+		args = " " + strings.Join(arguments, " ")
+	}
+
+	base := filepath.Base(os.Args[0])
+	return base + args + flags
+}
@@ -0,0 +1,136 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"fmt"
+	"os"
+	"sort"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	"k8s.io/cli-runtime/pkg/printers"
+)
+
+// templates are logically optional for specifying a format.
+// this allows a user to specify a template format value
+// as --output=go-template=
+var templateFormats = map[string]bool{
+	"template":         true,
+	"go-template":      true,
+	"go-template-file": true,
+	"templatefile":     true,
+}
+
+// GoTemplatePrintFlags provides default flags necessary for template printing.
+// Given the following flag values, a printer can be requested that knows
+// how to handle printing based on these values.
+type GoTemplatePrintFlags struct {
+	// indicates if it is OK to ignore missing keys for rendering
+	// an output template.
+	AllowMissingKeys *bool
+	TemplateArgument *string
+}
+
+// AllowedFormats returns slice of string of allowed GoTemplatePrint printing format
+func (f *GoTemplatePrintFlags) AllowedFormats() []string {
+	formats := make([]string, 0, len(templateFormats))
+	for format := range templateFormats {
+		formats = append(formats, format)
+	}
+	sort.Strings(formats)
+	return formats
+}
+
+// ToPrinter receives an templateFormat and returns a printer capable of
+// handling --template format printing.
+// Returns false if the specified templateFormat does not match a template format.
+func (f *GoTemplatePrintFlags) ToPrinter(templateFormat string) (printers.ResourcePrinter, error) {
+	if (f.TemplateArgument == nil || len(*f.TemplateArgument) == 0) && len(templateFormat) == 0 {
+		return nil, NoCompatiblePrinterError{Options: f, OutputFormat: &templateFormat}
+	}
+
+	templateValue := ""
+
+	if f.TemplateArgument == nil || len(*f.TemplateArgument) == 0 {
+		for format := range templateFormats {
+			format = format + "="
+			if strings.HasPrefix(templateFormat, format) {
+				templateValue = templateFormat[len(format):]
+				templateFormat = format[:len(format)-1]
+				break
+			}
+		}
+	} else {
+		templateValue = *f.TemplateArgument
+	}
+
+	if _, supportedFormat := templateFormats[templateFormat]; !supportedFormat {
+		return nil, NoCompatiblePrinterError{OutputFormat: &templateFormat, AllowedFormats: f.AllowedFormats()}
+	}
+
+	if len(templateValue) == 0 {
+		return nil, fmt.Errorf("template format specified but no template given")
+	}
+
+	if templateFormat == "templatefile" || templateFormat == "go-template-file" {
+		data, err := os.ReadFile(templateValue)
+		if err != nil {
+			return nil, fmt.Errorf("error reading --template %s, %v", templateValue, err)
+		}
+
+		templateValue = string(data)
+	}
+
+	p, err := printers.NewGoTemplatePrinter([]byte(templateValue))
+	if err != nil {
+		return nil, fmt.Errorf("error parsing template %s, %v", templateValue, err)
+	}
+
+	allowMissingKeys := true
+	if f.AllowMissingKeys != nil {
+		allowMissingKeys = *f.AllowMissingKeys
+	}
+
+	p.AllowMissingKeys(allowMissingKeys)
+	return p, nil
+}
+
+// AddFlags receives a *cobra.Command reference and binds
+// flags related to template printing to it
+func (f *GoTemplatePrintFlags) AddFlags(c *cobra.Command) {
+	if f.TemplateArgument != nil {
+		c.Flags().StringVar(f.TemplateArgument, "template", *f.TemplateArgument, "Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].")
+		c.MarkFlagFilename("template")
+	}
+	if f.AllowMissingKeys != nil {
+		c.Flags().BoolVar(f.AllowMissingKeys, "allow-missing-template-keys", *f.AllowMissingKeys, "If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.")
+	}
+}
+
+// NewGoTemplatePrintFlags returns flags associated with
+// --template printing, with default values set.
+func NewGoTemplatePrintFlags() *GoTemplatePrintFlags {
+	allowMissingKeysPtr := true
+	templateValuePtr := ""
+
+	return &GoTemplatePrintFlags{
+		TemplateArgument: &templateValuePtr,
+		AllowMissingKeys: &allowMissingKeysPtr,
+	}
+}
@@ -0,0 +1,56 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericiooptions
+
+import (
+	"bytes"
+	"io"
+)
+
+// IOStreams provides the standard names for iostreams.  This is useful for embedding and for unit testing.
+// Inconsistent and different names make it hard to read and review code
+type IOStreams struct {
+	// In think, os.Stdin
+	In io.Reader
+	// Out think, os.Stdout
+	Out io.Writer
+	// ErrOut think, os.Stderr
+	ErrOut io.Writer
+}
+
+// NewTestIOStreams returns a valid IOStreams and in, out, errout buffers for unit tests
+func NewTestIOStreams() (IOStreams, *bytes.Buffer, *bytes.Buffer, *bytes.Buffer) {
+	in := &bytes.Buffer{}
+	out := &bytes.Buffer{}
+	errOut := &bytes.Buffer{}
+
+	return IOStreams{
+		In:     in,
+		Out:    out,
+		ErrOut: errOut,
+	}, in, out, errOut
+}
+
+// NewTestIOStreamsDiscard returns a valid IOStreams that just discards
+func NewTestIOStreamsDiscard() IOStreams {
+	in := &bytes.Buffer{}
+	return IOStreams{
+		In:     in,
+		Out:    io.Discard,
+		ErrOut: io.Discard,
+	}
+}
@@ -0,0 +1,30 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"io"
+
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// NewDiscardingPrinter is a printer that discards all objects
+func NewDiscardingPrinter() ResourcePrinterFunc {
+	return ResourcePrinterFunc(func(runtime.Object, io.Writer) error {
+		return nil
+	})
+}
@@ -0,0 +1,19 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package printers is helper for formatting and printing runtime objects into
+// primitives io.writer.
+package printers
@@ -0,0 +1,54 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"io"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// ResourcePrinterFunc is a function that can print objects
+type ResourcePrinterFunc func(runtime.Object, io.Writer) error
+
+// PrintObj implements ResourcePrinter
+func (fn ResourcePrinterFunc) PrintObj(obj runtime.Object, w io.Writer) error {
+	return fn(obj, w)
+}
+
+// ResourcePrinter is an interface that knows how to print runtime objects.
+type ResourcePrinter interface {
+	// PrintObj receives a runtime object, formats it and prints it to a writer.
+	PrintObj(runtime.Object, io.Writer) error
+}
+
+// PrintOptions struct defines a struct for various print options
+type PrintOptions struct {
+	NoHeaders     bool
+	WithNamespace bool
+	WithKind      bool
+	Wide          bool
+	ShowLabels    bool
+	Kind          schema.GroupKind
+	ColumnLabels  []string
+
+	SortBy string
+
+	// indicates if it is OK to ignore missing keys for rendering an output template.
+	AllowMissingKeys bool
+}
@@ -0,0 +1,80 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"reflect"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// JSONPrinter is an implementation of ResourcePrinter which outputs an object as JSON.
+type JSONPrinter struct{}
+
+// PrintObj is an implementation of ResourcePrinter.PrintObj which simply writes the object to the Writer.
+func (p *JSONPrinter) PrintObj(obj runtime.Object, w io.Writer) error {
+	// we use reflect.Indirect here in order to obtain the actual value from a pointer.
+	// we need an actual value in order to retrieve the package path for an object.
+	// using reflect.Indirect indiscriminately is valid here, as all runtime.Objects are supposed to be pointers.
+	if InternalObjectPreventer.IsForbidden(reflect.Indirect(reflect.ValueOf(obj)).Type().PkgPath()) {
+		return errors.New(InternalObjectPrinterErr)
+	}
+
+	switch obj := obj.(type) {
+	case *metav1.WatchEvent:
+		if InternalObjectPreventer.IsForbidden(reflect.Indirect(reflect.ValueOf(obj.Object.Object)).Type().PkgPath()) {
+			return errors.New(InternalObjectPrinterErr)
+		}
+		data, err := json.Marshal(obj)
+		if err != nil {
+			return err
+		}
+		_, err = w.Write(data)
+		if err != nil {
+			return err
+		}
+		_, err = w.Write([]byte{'\n'})
+		return err
+	case *runtime.Unknown:
+		var buf bytes.Buffer
+		err := json.Indent(&buf, obj.Raw, "", "    ")
+		if err != nil {
+			return err
+		}
+		buf.WriteRune('\n')
+		_, err = buf.WriteTo(w)
+		return err
+	}
+
+	if obj.GetObjectKind().GroupVersionKind().Empty() {
+		return fmt.Errorf("missing apiVersion or kind; try GetObjectKind().SetGroupVersionKind() if you know the type")
+	}
+
+	data, err := json.MarshalIndent(obj, "", "    ")
+	if err != nil {
+		return err
+	}
+	data = append(data, '\n')
+	_, err = w.Write(data)
+	return err
+}
@@ -0,0 +1,148 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"reflect"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/util/jsonpath"
+)
+
+// exists returns true if it would be possible to call the index function
+// with these arguments.
+//
+// TODO: how to document this for users?
+//
+// index returns the result of indexing its first argument by the following
+// arguments.  Thus "index x 1 2 3" is, in Go syntax, x[1][2][3]. Each
+// indexed item must be a map, slice, or array.
+func exists(item interface{}, indices ...interface{}) bool {
+	v := reflect.ValueOf(item)
+	for _, i := range indices {
+		index := reflect.ValueOf(i)
+		var isNil bool
+		if v, isNil = indirect(v); isNil {
+			return false
+		}
+		switch v.Kind() {
+		case reflect.Array, reflect.Slice, reflect.String:
+			var x int64
+			switch index.Kind() {
+			case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+				x = index.Int()
+			case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
+				x = int64(index.Uint())
+			default:
+				return false
+			}
+			if x < 0 || x >= int64(v.Len()) {
+				return false
+			}
+			v = v.Index(int(x))
+		case reflect.Map:
+			if !index.IsValid() {
+				index = reflect.Zero(v.Type().Key())
+			}
+			if !index.Type().AssignableTo(v.Type().Key()) {
+				return false
+			}
+			if x := v.MapIndex(index); x.IsValid() {
+				v = x
+			} else {
+				v = reflect.Zero(v.Type().Elem())
+			}
+		default:
+			return false
+		}
+	}
+	if _, isNil := indirect(v); isNil {
+		return false
+	}
+	return true
+}
+
+// stolen from text/template
+// indirect returns the item at the end of indirection, and a bool to indicate if it's nil.
+// We indirect through pointers and empty interfaces (only) because
+// non-empty interfaces have methods we might need.
+func indirect(v reflect.Value) (rv reflect.Value, isNil bool) {
+	for ; v.Kind() == reflect.Pointer || v.Kind() == reflect.Interface; v = v.Elem() {
+		if v.IsNil() {
+			return v, true
+		}
+		if v.Kind() == reflect.Interface && v.NumMethod() > 0 {
+			break
+		}
+	}
+	return v, false
+}
+
+// JSONPathPrinter is an implementation of ResourcePrinter which formats data with jsonpath expression.
+type JSONPathPrinter struct {
+	rawTemplate string
+	*jsonpath.JSONPath
+}
+
+func NewJSONPathPrinter(tmpl string) (*JSONPathPrinter, error) {
+	j := jsonpath.New("out")
+	if err := j.Parse(tmpl); err != nil {
+		return nil, err
+	}
+	return &JSONPathPrinter{
+		rawTemplate: tmpl,
+		JSONPath:    j,
+	}, nil
+}
+
+// PrintObj formats the obj with the JSONPath Template.
+func (j *JSONPathPrinter) PrintObj(obj runtime.Object, w io.Writer) error {
+	// we use reflect.Indirect here in order to obtain the actual value from a pointer.
+	// we need an actual value in order to retrieve the package path for an object.
+	// using reflect.Indirect indiscriminately is valid here, as all runtime.Objects are supposed to be pointers.
+	if InternalObjectPreventer.IsForbidden(reflect.Indirect(reflect.ValueOf(obj)).Type().PkgPath()) {
+		return errors.New(InternalObjectPrinterErr)
+	}
+
+	var queryObj interface{} = obj
+	if unstructured, ok := obj.(runtime.Unstructured); ok {
+		queryObj = unstructured.UnstructuredContent()
+	} else {
+		data, err := json.Marshal(obj)
+		if err != nil {
+			return err
+		}
+		queryObj = map[string]interface{}{}
+		if err := json.Unmarshal(data, &queryObj); err != nil {
+			return err
+		}
+	}
+
+	if err := j.JSONPath.Execute(w, queryObj); err != nil {
+		buf := bytes.NewBuffer(nil)
+		fmt.Fprintf(buf, "Error executing template: %v. Printing more information for debugging the template:\n", err)
+		fmt.Fprintf(buf, "\ttemplate was:\n\t\t%v\n", j.rawTemplate)
+		fmt.Fprintf(buf, "\tobject given to jsonpath engine was:\n\t\t%#v\n\n", queryObj)
+		return fmt.Errorf("error executing jsonpath %q: %v\n", j.rawTemplate, buf.String())
+	}
+	return nil
+}
@@ -0,0 +1,66 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// package kyaml provides a printer for Kubernetes objects that formats them
+// as KYAML, a strict subset of YAML that is designed to be explicit and
+// unambiguous.  KYAML is YAML.
+package printers
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"reflect"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/yaml/kyaml"
+)
+
+// KYAMLPrinter is an implementation of ResourcePrinter which formats data into
+// a specific dialect of YAML, known as KYAML. KYAML is halfway between YAML
+// and JSON, but is a strict subset of YAML, and so it should should be
+// readable by any YAML parser. It is designed to be explicit and unambiguous,
+// and eschews significant whitespace.
+type KYAMLPrinter struct {
+	encoder kyaml.Encoder
+}
+
+// PrintObj prints the data as KYAML to the specified writer.
+func (p *KYAMLPrinter) PrintObj(obj runtime.Object, w io.Writer) error {
+	// We use reflect.Indirect here in order to obtain the actual value from a pointer.
+	// We need an actual value in order to retrieve the package path for an object.
+	// Using reflect.Indirect indiscriminately is valid here, as all runtime.Objects are supposed to be pointers.
+	if InternalObjectPreventer.IsForbidden(reflect.Indirect(reflect.ValueOf(obj)).Type().PkgPath()) {
+		return errors.New(InternalObjectPrinterErr)
+	}
+
+	switch obj := obj.(type) {
+	case *metav1.WatchEvent:
+		if InternalObjectPreventer.IsForbidden(reflect.Indirect(reflect.ValueOf(obj.Object.Object)).Type().PkgPath()) {
+			return errors.New(InternalObjectPrinterErr)
+		}
+	case *runtime.Unknown:
+		return p.encoder.FromYAML(bytes.NewReader(obj.Raw), w)
+	}
+
+	if obj.GetObjectKind().GroupVersionKind().Empty() {
+		return fmt.Errorf("missing apiVersion or kind; try GetObjectKind().SetGroupVersionKind() if you know the type")
+	}
+
+	return p.encoder.FromObject(obj, w)
+}
@@ -0,0 +1,59 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"io"
+
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// OmitManagedFieldsPrinter wraps an existing printer and omits the managed fields from the object
+// before printing it.
+type OmitManagedFieldsPrinter struct {
+	Delegate ResourcePrinter
+}
+
+var _ ResourcePrinter = (*OmitManagedFieldsPrinter)(nil)
+
+func omitManagedFields(o runtime.Object) runtime.Object {
+	a, err := meta.Accessor(o)
+	if err != nil {
+		// The object is not a `metav1.Object`, ignore it.
+		return o
+	}
+	a.SetManagedFields(nil)
+	return o
+}
+
+// PrintObj copies the object and omits the managed fields from the copied object before printing it.
+func (p *OmitManagedFieldsPrinter) PrintObj(obj runtime.Object, w io.Writer) error {
+	if obj == nil {
+		return p.Delegate.PrintObj(obj, w)
+	}
+	if meta.IsListType(obj) {
+		obj = obj.DeepCopyObject()
+		_ = meta.EachListItem(obj, func(item runtime.Object) error {
+			omitManagedFields(item)
+			return nil
+		})
+	} else if _, err := meta.Accessor(obj); err == nil {
+		obj = omitManagedFields(obj.DeepCopyObject())
+	}
+	return p.Delegate.PrintObj(obj, w)
+}
@@ -0,0 +1,131 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"reflect"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// NamePrinter is an implementation of ResourcePrinter which outputs "resource/name" pair of an object.
+type NamePrinter struct {
+	// ShortOutput indicates whether an operation should be
+	// printed along side the "resource/name" pair for an object.
+	ShortOutput bool
+	// Operation describes the name of the action that
+	// took place on an object, to be included in the
+	// finalized "successful" message.
+	Operation string
+}
+
+// PrintObj is an implementation of ResourcePrinter.PrintObj which decodes the object
+// and print "resource/name" pair. If the object is a List, print all items in it.
+func (p *NamePrinter) PrintObj(obj runtime.Object, w io.Writer) error {
+	switch castObj := obj.(type) {
+	case *metav1.WatchEvent:
+		obj = castObj.Object.Object
+	}
+
+	// we use reflect.Indirect here in order to obtain the actual value from a pointer.
+	// using reflect.Indirect indiscriminately is valid here, as all runtime.Objects are supposed to be pointers.
+	// we need an actual value in order to retrieve the package path for an object.
+	if InternalObjectPreventer.IsForbidden(reflect.Indirect(reflect.ValueOf(obj)).Type().PkgPath()) {
+		return errors.New(InternalObjectPrinterErr)
+	}
+
+	if meta.IsListType(obj) {
+		// we allow unstructured lists for now because they always contain the GVK information.  We should chase down
+		// callers and stop them from passing unflattened lists
+		// TODO chase the caller that is setting this and remove it.
+		if _, ok := obj.(*unstructured.UnstructuredList); !ok {
+			return fmt.Errorf("list types are not supported by name printing: %T", obj)
+		}
+
+		items, err := meta.ExtractList(obj)
+		if err != nil {
+			return err
+		}
+		for _, obj := range items {
+			if err := p.PrintObj(obj, w); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+
+	if obj.GetObjectKind().GroupVersionKind().Empty() {
+		return fmt.Errorf("missing apiVersion or kind; try GetObjectKind().SetGroupVersionKind() if you know the type")
+	}
+
+	name := "<unknown>"
+	if acc, err := meta.Accessor(obj); err == nil {
+		if n := acc.GetName(); len(n) > 0 {
+			name = n
+		}
+	}
+
+	return printObj(w, name, p.Operation, p.ShortOutput, GetObjectGroupKind(obj))
+}
+
+func GetObjectGroupKind(obj runtime.Object) schema.GroupKind {
+	if obj == nil {
+		return schema.GroupKind{Kind: "<unknown>"}
+	}
+	groupVersionKind := obj.GetObjectKind().GroupVersionKind()
+	if len(groupVersionKind.Kind) > 0 {
+		return groupVersionKind.GroupKind()
+	}
+
+	if uns, ok := obj.(*unstructured.Unstructured); ok {
+		if len(uns.GroupVersionKind().Kind) > 0 {
+			return uns.GroupVersionKind().GroupKind()
+		}
+	}
+
+	return schema.GroupKind{Kind: "<unknown>"}
+}
+
+func printObj(w io.Writer, name string, operation string, shortOutput bool, groupKind schema.GroupKind) error {
+	if len(groupKind.Kind) == 0 {
+		return fmt.Errorf("missing kind for resource with name %v", name)
+	}
+
+	if len(operation) > 0 {
+		operation = " " + operation
+	}
+
+	if shortOutput {
+		operation = ""
+	}
+
+	if len(groupKind.Group) == 0 {
+		fmt.Fprintf(w, "%s/%s%s\n", strings.ToLower(groupKind.Kind), name, operation)
+		return nil
+	}
+
+	fmt.Fprintf(w, "%s.%s/%s%s\n", strings.ToLower(groupKind.Kind), groupKind.Group, name, operation)
+	return nil
+}
@@ -0,0 +1,60 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"strings"
+)
+
+var (
+	InternalObjectPrinterErr = "a versioned object must be passed to a printer"
+
+	// disallowedPackagePrefixes contains regular expression templates
+	// for object package paths that are not allowed by printers.
+	disallowedPackagePrefixes = []string{
+		"k8s.io/kubernetes/pkg/apis/",
+	}
+)
+
+var InternalObjectPreventer = &illegalPackageSourceChecker{disallowedPackagePrefixes}
+
+func IsInternalObjectError(err error) bool {
+	if err == nil {
+		return false
+	}
+
+	return err.Error() == InternalObjectPrinterErr
+}
+
+// illegalPackageSourceChecker compares a given
+// object's package path, and determines if the
+// object originates from a disallowed source.
+type illegalPackageSourceChecker struct {
+	// disallowedPrefixes is a slice of disallowed package path
+	// prefixes for a given runtime.Object that we are printing.
+	disallowedPrefixes []string
+}
+
+func (c *illegalPackageSourceChecker) IsForbidden(pkgPath string) bool {
+	for _, forbiddenPrefix := range c.disallowedPrefixes {
+		if strings.HasPrefix(pkgPath, forbiddenPrefix) || strings.Contains(pkgPath, "/vendor/"+forbiddenPrefix) {
+			return true
+		}
+	}
+
+	return false
+}
@@ -0,0 +1,589 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"fmt"
+	"io"
+	"reflect"
+	"strings"
+	"time"
+
+	"github.com/liggitt/tabwriter"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/duration"
+	"k8s.io/apimachinery/pkg/watch"
+)
+
+var _ ResourcePrinter = &HumanReadablePrinter{}
+
+type printHandler struct {
+	columnDefinitions []metav1.TableColumnDefinition
+	printFunc         reflect.Value
+}
+
+var (
+	statusHandlerEntry = &printHandler{
+		columnDefinitions: statusColumnDefinitions,
+		printFunc:         reflect.ValueOf(printStatus),
+	}
+
+	statusColumnDefinitions = []metav1.TableColumnDefinition{
+		{Name: "Status", Type: "string"},
+		{Name: "Reason", Type: "string"},
+		{Name: "Message", Type: "string"},
+	}
+
+	defaultHandlerEntry = &printHandler{
+		columnDefinitions: objectMetaColumnDefinitions,
+		printFunc:         reflect.ValueOf(printObjectMeta),
+	}
+
+	objectMetaColumnDefinitions = []metav1.TableColumnDefinition{
+		{Name: "Name", Type: "string", Format: "name", Description: metav1.ObjectMeta{}.SwaggerDoc()["name"]},
+		{Name: "Age", Type: "string", Description: metav1.ObjectMeta{}.SwaggerDoc()["creationTimestamp"]},
+	}
+
+	withEventTypePrefixColumns = []string{"EVENT"}
+	withNamespacePrefixColumns = []string{"NAMESPACE"} // TODO(erictune): print cluster name too.
+)
+
+// HumanReadablePrinter is an implementation of ResourcePrinter which attempts to provide
+// more elegant output. It is not threadsafe, but you may call PrintObj repeatedly; headers
+// will only be printed if the object type changes. This makes it useful for printing items
+// received from watches.
+type HumanReadablePrinter struct {
+	options        PrintOptions
+	lastType       interface{}
+	lastColumns    []metav1.TableColumnDefinition
+	printedHeaders bool
+}
+
+// NewTablePrinter creates a printer suitable for calling PrintObj().
+func NewTablePrinter(options PrintOptions) ResourcePrinter {
+	printer := &HumanReadablePrinter{
+		options: options,
+	}
+	return printer
+}
+
+func printHeader(columnNames []string, w io.Writer) error {
+	if _, err := fmt.Fprintf(w, "%s\n", strings.Join(columnNames, "\t")); err != nil {
+		return err
+	}
+	return nil
+}
+
+// PrintObj prints the obj in a human-friendly format according to the type of the obj.
+func (h *HumanReadablePrinter) PrintObj(obj runtime.Object, output io.Writer) error {
+
+	if _, found := output.(*tabwriter.Writer); !found {
+		w := GetNewTabWriter(output)
+		output = w
+		defer w.Flush()
+	}
+
+	var eventType string
+	if event, isEvent := obj.(*metav1.WatchEvent); isEvent {
+		eventType = event.Type
+		obj = event.Object.Object
+	}
+
+	// Parameter "obj" is a table from server; print it.
+	// display tables following the rules of options
+	if table, ok := obj.(*metav1.Table); ok {
+		// Do not print headers if this table has no column definitions, or they are the same as the last ones we printed
+		localOptions := h.options
+		if h.printedHeaders && (len(table.ColumnDefinitions) == 0 || reflect.DeepEqual(table.ColumnDefinitions, h.lastColumns)) {
+			localOptions.NoHeaders = true
+		}
+
+		if len(table.ColumnDefinitions) == 0 {
+			// If this table has no column definitions, use the columns from the last table we printed for decoration and layout.
+			// This is done when receiving tables in watch events to save bandwidth.
+			table.ColumnDefinitions = h.lastColumns
+		} else if !reflect.DeepEqual(table.ColumnDefinitions, h.lastColumns) {
+			// If this table has column definitions, remember them for future use.
+			h.lastColumns = table.ColumnDefinitions
+			h.printedHeaders = false
+		}
+
+		if len(table.Rows) > 0 {
+			h.printedHeaders = true
+		}
+
+		if err := decorateTable(table, localOptions); err != nil {
+			return err
+		}
+		if len(eventType) > 0 {
+			if err := addColumns(beginning, table,
+				[]metav1.TableColumnDefinition{{Name: "Event", Type: "string"}},
+				[]cellValueFunc{func(metav1.TableRow) (interface{}, error) { return formatEventType(eventType), nil }},
+			); err != nil {
+				return err
+			}
+		}
+		return printTable(table, output, localOptions)
+	}
+
+	// Could not find print handler for "obj"; use the default or status print handler.
+	// Print with the default or status handler, and use the columns from the last time
+	var handler *printHandler
+	if _, isStatus := obj.(*metav1.Status); isStatus {
+		handler = statusHandlerEntry
+	} else {
+		handler = defaultHandlerEntry
+	}
+
+	includeHeaders := h.lastType != handler && !h.options.NoHeaders
+
+	if h.lastType != nil && h.lastType != handler && !h.options.NoHeaders {
+		fmt.Fprintln(output)
+	}
+
+	if err := printRowsForHandlerEntry(output, handler, eventType, obj, h.options, includeHeaders); err != nil {
+		return err
+	}
+	h.lastType = handler
+
+	return nil
+}
+
+// printTable prints a table to the provided output respecting the filtering rules for options
+// for wide columns and filtered rows. It filters out rows that are Completed. You should call
+// decorateTable if you receive a table from a remote server before calling printTable.
+func printTable(table *metav1.Table, output io.Writer, options PrintOptions) error {
+	if !options.NoHeaders {
+		// avoid printing headers if we have no rows to display
+		if len(table.Rows) == 0 {
+			return nil
+		}
+
+		first := true
+		for _, column := range table.ColumnDefinitions {
+			if !options.Wide && column.Priority != 0 {
+				continue
+			}
+			if first {
+				first = false
+			} else {
+				fmt.Fprint(output, "\t")
+			}
+			fmt.Fprint(output, strings.ToUpper(column.Name))
+		}
+		fmt.Fprintln(output)
+	}
+	for _, row := range table.Rows {
+		first := true
+		for i, cell := range row.Cells {
+			if i >= len(table.ColumnDefinitions) {
+				// https://issue.k8s.io/66379
+				// don't panic in case of bad output from the server, with more cells than column definitions
+				break
+			}
+			column := table.ColumnDefinitions[i]
+			if !options.Wide && column.Priority != 0 {
+				continue
+			}
+			if first {
+				first = false
+			} else {
+				fmt.Fprint(output, "\t")
+			}
+			if cell != nil {
+				switch val := cell.(type) {
+				case string:
+					print := val
+					truncated := false
+					// Truncate at the first newline, carriage return or formfeed
+					// (treated as a newline by tabwriter).
+					breakchar := strings.IndexAny(print, "\f\n\r")
+					if breakchar >= 0 {
+						truncated = true
+						print = print[:breakchar]
+					}
+					WriteEscaped(output, print)
+					if truncated {
+						fmt.Fprint(output, "...")
+					}
+				default:
+					WriteEscaped(output, fmt.Sprint(val))
+				}
+			}
+		}
+		fmt.Fprintln(output)
+	}
+	return nil
+}
+
+type cellValueFunc func(metav1.TableRow) (interface{}, error)
+
+type columnAddPosition int
+
+const (
+	beginning columnAddPosition = 1
+	end       columnAddPosition = 2
+)
+
+func addColumns(pos columnAddPosition, table *metav1.Table, columns []metav1.TableColumnDefinition, valueFuncs []cellValueFunc) error {
+	if len(columns) != len(valueFuncs) {
+		return fmt.Errorf("cannot prepend columns, unmatched value functions")
+	}
+	if len(columns) == 0 {
+		return nil
+	}
+
+	// Compute the new rows
+	newRows := make([][]interface{}, len(table.Rows))
+	for i := range table.Rows {
+		newCells := make([]interface{}, 0, len(columns)+len(table.Rows[i].Cells))
+
+		if pos == end {
+			// If we're appending, start with the existing cells,
+			// then add nil cells to match the number of columns
+			newCells = append(newCells, table.Rows[i].Cells...)
+			for len(newCells) < len(table.ColumnDefinitions) {
+				newCells = append(newCells, nil)
+			}
+		}
+
+		// Compute cells for new columns
+		for _, f := range valueFuncs {
+			newCell, err := f(table.Rows[i])
+			if err != nil {
+				return err
+			}
+			newCells = append(newCells, newCell)
+		}
+
+		if pos == beginning {
+			// If we're prepending, add existing cells
+			newCells = append(newCells, table.Rows[i].Cells...)
+		}
+
+		// Remember the new cells for this row
+		newRows[i] = newCells
+	}
+
+	// All cells successfully computed, now replace columns and rows
+	newColumns := make([]metav1.TableColumnDefinition, 0, len(columns)+len(table.ColumnDefinitions))
+	switch pos {
+	case beginning:
+		newColumns = append(newColumns, columns...)
+		newColumns = append(newColumns, table.ColumnDefinitions...)
+	case end:
+		newColumns = append(newColumns, table.ColumnDefinitions...)
+		newColumns = append(newColumns, columns...)
+	default:
+		return fmt.Errorf("invalid column add position: %v", pos)
+	}
+	table.ColumnDefinitions = newColumns
+	for i := range table.Rows {
+		table.Rows[i].Cells = newRows[i]
+	}
+
+	return nil
+}
+
+// decorateTable takes a table and attempts to add label columns and the
+// namespace column. It will fill empty columns with nil (if the object
+// does not expose metadata). It returns an error if the table cannot
+// be decorated.
+func decorateTable(table *metav1.Table, options PrintOptions) error {
+	width := len(table.ColumnDefinitions) + len(options.ColumnLabels)
+	if options.WithNamespace {
+		width++
+	}
+	if options.ShowLabels {
+		width++
+	}
+
+	columns := table.ColumnDefinitions
+
+	nameColumn := -1
+	if options.WithKind && !options.Kind.Empty() {
+		for i := range columns {
+			if columns[i].Format == "name" && columns[i].Type == "string" {
+				nameColumn = i
+				break
+			}
+		}
+	}
+
+	if width != len(table.ColumnDefinitions) {
+		columns = make([]metav1.TableColumnDefinition, 0, width)
+		if options.WithNamespace {
+			columns = append(columns, metav1.TableColumnDefinition{
+				Name: "Namespace",
+				Type: "string",
+			})
+		}
+		columns = append(columns, table.ColumnDefinitions...)
+		for _, label := range formatLabelHeaders(options.ColumnLabels) {
+			columns = append(columns, metav1.TableColumnDefinition{
+				Name: label,
+				Type: "string",
+			})
+		}
+		if options.ShowLabels {
+			columns = append(columns, metav1.TableColumnDefinition{
+				Name: "Labels",
+				Type: "string",
+			})
+		}
+	}
+
+	rows := table.Rows
+
+	includeLabels := len(options.ColumnLabels) > 0 || options.ShowLabels
+	if includeLabels || options.WithNamespace || nameColumn != -1 {
+		for i := range rows {
+			row := rows[i]
+
+			if nameColumn != -1 {
+				row.Cells[nameColumn] = fmt.Sprintf("%s/%s", strings.ToLower(options.Kind.String()), row.Cells[nameColumn])
+			}
+
+			var m metav1.Object
+			if obj := row.Object.Object; obj != nil {
+				if acc, err := meta.Accessor(obj); err == nil {
+					m = acc
+				}
+			}
+			// if we can't get an accessor, fill out the appropriate columns with empty spaces
+			if m == nil {
+				if options.WithNamespace {
+					r := make([]interface{}, 1, width)
+					row.Cells = append(r, row.Cells...)
+				}
+				for j := 0; j < width-len(row.Cells); j++ {
+					row.Cells = append(row.Cells, nil)
+				}
+				rows[i] = row
+				continue
+			}
+
+			if options.WithNamespace {
+				r := make([]interface{}, 1, width)
+				r[0] = m.GetNamespace()
+				row.Cells = append(r, row.Cells...)
+			}
+			if includeLabels {
+				row.Cells = appendLabelCells(row.Cells, m.GetLabels(), options)
+			}
+			rows[i] = row
+		}
+	}
+
+	table.ColumnDefinitions = columns
+	table.Rows = rows
+	return nil
+}
+
+// printRowsForHandlerEntry prints the incremental table output (headers if the current type is
+// different from lastType) including all the rows in the object. It returns the current type
+// or an error, if any.
+func printRowsForHandlerEntry(output io.Writer, handler *printHandler, eventType string, obj runtime.Object, options PrintOptions, includeHeaders bool) error {
+	var results []reflect.Value
+
+	args := []reflect.Value{reflect.ValueOf(obj), reflect.ValueOf(options)}
+	results = handler.printFunc.Call(args)
+	if !results[1].IsNil() {
+		return results[1].Interface().(error)
+	}
+
+	if includeHeaders {
+		var headers []string
+		for _, column := range handler.columnDefinitions {
+			if column.Priority != 0 && !options.Wide {
+				continue
+			}
+			headers = append(headers, strings.ToUpper(column.Name))
+		}
+		headers = append(headers, formatLabelHeaders(options.ColumnLabels)...)
+		// LABELS is always the last column.
+		headers = append(headers, formatShowLabelsHeader(options.ShowLabels)...)
+		// prepend namespace header
+		if options.WithNamespace {
+			headers = append(withNamespacePrefixColumns, headers...)
+		}
+		// prepend event type header
+		if len(eventType) > 0 {
+			headers = append(withEventTypePrefixColumns, headers...)
+		}
+		printHeader(headers, output)
+	}
+
+	if results[1].IsNil() {
+		rows := results[0].Interface().([]metav1.TableRow)
+		printRows(output, eventType, rows, options)
+		return nil
+	}
+	return results[1].Interface().(error)
+}
+
+var formattedEventType = map[string]string{
+	string(watch.Added):    "ADDED   ",
+	string(watch.Modified): "MODIFIED",
+	string(watch.Deleted):  "DELETED ",
+	string(watch.Error):    "ERROR   ",
+}
+
+func formatEventType(eventType string) string {
+	if formatted, ok := formattedEventType[eventType]; ok {
+		return formatted
+	}
+	return eventType
+}
+
+// printRows writes the provided rows to output.
+func printRows(output io.Writer, eventType string, rows []metav1.TableRow, options PrintOptions) {
+	for _, row := range rows {
+		if len(eventType) > 0 {
+			fmt.Fprint(output, formatEventType(eventType))
+			fmt.Fprint(output, "\t")
+		}
+		if options.WithNamespace {
+			if obj := row.Object.Object; obj != nil {
+				if m, err := meta.Accessor(obj); err == nil {
+					fmt.Fprint(output, m.GetNamespace())
+				}
+			}
+			fmt.Fprint(output, "\t")
+		}
+
+		for i, cell := range row.Cells {
+			if i != 0 {
+				fmt.Fprint(output, "\t")
+			} else {
+				// TODO: remove this once we drop the legacy printers
+				if options.WithKind && !options.Kind.Empty() {
+					fmt.Fprintf(output, "%s/%s", strings.ToLower(options.Kind.String()), cell)
+					continue
+				}
+			}
+			fmt.Fprint(output, cell)
+		}
+
+		hasLabels := len(options.ColumnLabels) > 0
+		if obj := row.Object.Object; obj != nil && (hasLabels || options.ShowLabels) {
+			if m, err := meta.Accessor(obj); err == nil {
+				for _, value := range labelValues(m.GetLabels(), options) {
+					output.Write([]byte("\t"))
+					output.Write([]byte(value))
+				}
+			}
+		}
+
+		output.Write([]byte("\n"))
+	}
+}
+
+func formatLabelHeaders(columnLabels []string) []string {
+	formHead := make([]string, len(columnLabels))
+	for i, l := range columnLabels {
+		p := strings.Split(l, "/")
+		formHead[i] = strings.ToUpper(p[len(p)-1])
+	}
+	return formHead
+}
+
+// headers for --show-labels=true
+func formatShowLabelsHeader(showLabels bool) []string {
+	if showLabels {
+		return []string{"LABELS"}
+	}
+	return nil
+}
+
+// labelValues returns a slice of value columns matching the requested print options.
+func labelValues(itemLabels map[string]string, opts PrintOptions) []string {
+	var values []string
+	for _, key := range opts.ColumnLabels {
+		values = append(values, itemLabels[key])
+	}
+	if opts.ShowLabels {
+		values = append(values, labels.FormatLabels(itemLabels))
+	}
+	return values
+}
+
+// appendLabelCells returns a slice of value columns matching the requested print options.
+// Intended for use with tables.
+func appendLabelCells(values []interface{}, itemLabels map[string]string, opts PrintOptions) []interface{} {
+	for _, key := range opts.ColumnLabels {
+		values = append(values, itemLabels[key])
+	}
+	if opts.ShowLabels {
+		values = append(values, labels.FormatLabels(itemLabels))
+	}
+	return values
+}
+
+func printStatus(obj runtime.Object, options PrintOptions) ([]metav1.TableRow, error) {
+	status, ok := obj.(*metav1.Status)
+	if !ok {
+		return nil, fmt.Errorf("expected *v1.Status, got %T", obj)
+	}
+	return []metav1.TableRow{{
+		Object: runtime.RawExtension{Object: obj},
+		Cells:  []interface{}{status.Status, status.Reason, status.Message},
+	}}, nil
+}
+
+func printObjectMeta(obj runtime.Object, options PrintOptions) ([]metav1.TableRow, error) {
+	if meta.IsListType(obj) {
+		rows := make([]metav1.TableRow, 0, 16)
+		err := meta.EachListItem(obj, func(obj runtime.Object) error {
+			nestedRows, err := printObjectMeta(obj, options)
+			if err != nil {
+				return err
+			}
+			rows = append(rows, nestedRows...)
+			return nil
+		})
+		if err != nil {
+			return nil, err
+		}
+		return rows, nil
+	}
+
+	rows := make([]metav1.TableRow, 0, 1)
+	m, err := meta.Accessor(obj)
+	if err != nil {
+		return nil, err
+	}
+	row := metav1.TableRow{
+		Object: runtime.RawExtension{Object: obj},
+	}
+	row.Cells = append(row.Cells, m.GetName(), translateTimestampSince(m.GetCreationTimestamp()))
+	rows = append(rows, row)
+	return rows, nil
+}
+
+// translateTimestampSince returns the elapsed time since timestamp in
+// human-readable approximation.
+func translateTimestampSince(timestamp metav1.Time) string {
+	if timestamp.IsZero() {
+		return "<unknown>"
+	}
+
+	return duration.HumanDuration(time.Since(timestamp.Time))
+}
@@ -0,0 +1,36 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"io"
+
+	"github.com/liggitt/tabwriter"
+)
+
+const (
+	tabwriterMinWidth = 6
+	tabwriterWidth    = 4
+	tabwriterPadding  = 3
+	tabwriterPadChar  = ' '
+	tabwriterFlags    = tabwriter.RememberWidths
+)
+
+// GetNewTabWriter returns a tabwriter that translates tabbed columns in input into properly aligned text.
+func GetNewTabWriter(output io.Writer) *tabwriter.Writer {
+	return tabwriter.NewWriter(output, tabwriterMinWidth, tabwriterWidth, tabwriterPadding, tabwriterPadChar, tabwriterFlags)
+}
@@ -0,0 +1,119 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io"
+	"reflect"
+	"text/template"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/json"
+)
+
+// GoTemplatePrinter is an implementation of ResourcePrinter which formats data with a Go Template.
+type GoTemplatePrinter struct {
+	rawTemplate string
+	template    *template.Template
+}
+
+func NewGoTemplatePrinter(tmpl []byte) (*GoTemplatePrinter, error) {
+	t, err := template.New("output").
+		Funcs(template.FuncMap{
+			"exists":       exists,
+			"base64decode": base64decode,
+		}).
+		Parse(string(tmpl))
+	if err != nil {
+		return nil, err
+	}
+	return &GoTemplatePrinter{
+		rawTemplate: string(tmpl),
+		template:    t,
+	}, nil
+}
+
+// AllowMissingKeys tells the template engine if missing keys are allowed.
+func (p *GoTemplatePrinter) AllowMissingKeys(allow bool) {
+	if allow {
+		p.template.Option("missingkey=default")
+	} else {
+		p.template.Option("missingkey=error")
+	}
+}
+
+// PrintObj formats the obj with the Go Template.
+func (p *GoTemplatePrinter) PrintObj(obj runtime.Object, w io.Writer) error {
+	if InternalObjectPreventer.IsForbidden(reflect.Indirect(reflect.ValueOf(obj)).Type().PkgPath()) {
+		return errors.New(InternalObjectPrinterErr)
+	}
+
+	var data []byte
+	var err error
+	data, err = json.Marshal(obj)
+	if err != nil {
+		return err
+	}
+
+	out := map[string]interface{}{}
+	if err := json.Unmarshal(data, &out); err != nil {
+		return err
+	}
+	if err = p.safeExecute(w, out); err != nil {
+		// It is way easier to debug this stuff when it shows up in
+		// stdout instead of just stdin. So in addition to returning
+		// a nice error, also print useful stuff with the writer.
+		fmt.Fprintf(w, "Error executing template: %v. Printing more information for debugging the template:\n", err)
+		fmt.Fprintf(w, "\ttemplate was:\n\t\t%v\n", p.rawTemplate)
+		fmt.Fprintf(w, "\traw data was:\n\t\t%v\n", string(data))
+		fmt.Fprintf(w, "\tobject given to template engine was:\n\t\t%+v\n\n", out)
+		return fmt.Errorf("error executing template %q: %v", p.rawTemplate, err)
+	}
+	return nil
+}
+
+// safeExecute tries to execute the template, but catches panics and returns an error
+// should the template engine panic.
+func (p *GoTemplatePrinter) safeExecute(w io.Writer, obj interface{}) error {
+	var panicErr error
+	// Sorry for the double anonymous function. There's probably a clever way
+	// to do this that has the defer'd func setting the value to be returned, but
+	// that would be even less obvious.
+	retErr := func() error {
+		defer func() {
+			if x := recover(); x != nil {
+				panicErr = fmt.Errorf("caught panic: %+v", x)
+			}
+		}()
+		return p.template.Execute(w, obj)
+	}()
+	if panicErr != nil {
+		return panicErr
+	}
+	return retErr
+}
+
+func base64decode(v string) (string, error) {
+	data, err := base64.StdEncoding.DecodeString(v)
+	if err != nil {
+		return "", fmt.Errorf("base64 decode failed: %v", err)
+	}
+	return string(data), nil
+}
@@ -0,0 +1,75 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"io"
+	"os"
+	"runtime"
+	"strings"
+
+	"github.com/moby/term"
+)
+
+// terminalEscaper replaces ANSI escape sequences and other terminal special
+// characters to avoid terminal escape character attacks (issue #101695).
+var terminalEscaper = strings.NewReplacer("\x1b", "^[", "\r", "\\r")
+
+// WriteEscaped replaces unsafe terminal characters with replacement strings
+// and writes them to the given writer.
+func WriteEscaped(writer io.Writer, output string) error {
+	_, err := terminalEscaper.WriteString(writer, output)
+	return err
+}
+
+// EscapeTerminal escapes terminal special characters in a human readable (but
+// non-reversible) format.
+func EscapeTerminal(in string) string {
+	return terminalEscaper.Replace(in)
+}
+
+// IsTerminal returns whether the passed object is a terminal or not
+func IsTerminal(i interface{}) bool {
+	_, terminal := term.GetFdInfo(i)
+	return terminal
+}
+
+// AllowsColorOutput returns true if the specified writer is a terminal and
+// the process environment indicates color output is supported and desired.
+func AllowsColorOutput(w io.Writer) bool {
+	if !IsTerminal(w) {
+		return false
+	}
+
+	// https://en.wikipedia.org/wiki/Computer_terminal#Dumb_terminals
+	if os.Getenv("TERM") == "dumb" {
+		return false
+	}
+
+	// https://no-color.org/
+	if _, nocolor := os.LookupEnv("NO_COLOR"); nocolor {
+		return false
+	}
+
+	// On Windows WT_SESSION is set by the modern terminal component.
+	// Older terminals have poor support for UTF-8, VT escape codes, etc.
+	if runtime.GOOS == "windows" && os.Getenv("WT_SESSION") == "" {
+		return false
+	}
+
+	return true
+}
@@ -0,0 +1,95 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"fmt"
+	"io"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// TypeSetterPrinter is an implementation of ResourcePrinter wraps another printer with types set on the objects
+type TypeSetterPrinter struct {
+	Delegate ResourcePrinter
+
+	Typer runtime.ObjectTyper
+}
+
+// NewTypeSetter constructs a wrapping printer with required params
+func NewTypeSetter(typer runtime.ObjectTyper) *TypeSetterPrinter {
+	return &TypeSetterPrinter{Typer: typer}
+}
+
+// PrintObj is an implementation of ResourcePrinter.PrintObj which sets type information on the obj for the duration
+// of printing.  It is NOT threadsafe.
+func (p *TypeSetterPrinter) PrintObj(obj runtime.Object, w io.Writer) error {
+	if obj == nil {
+		return p.Delegate.PrintObj(obj, w)
+	}
+	if !obj.GetObjectKind().GroupVersionKind().Empty() {
+		return p.Delegate.PrintObj(obj, w)
+	}
+
+	// we were empty coming in, make sure we're empty going out.  This makes the call thread-unsafe
+	defer func() {
+		obj.GetObjectKind().SetGroupVersionKind(schema.GroupVersionKind{})
+	}()
+
+	gvks, _, err := p.Typer.ObjectKinds(obj)
+	if err != nil {
+		// printers wrapped by us expect to find the type information present
+		return fmt.Errorf("missing apiVersion or kind and cannot assign it; %v", err)
+	}
+
+	for _, gvk := range gvks {
+		if len(gvk.Kind) == 0 {
+			continue
+		}
+		if len(gvk.Version) == 0 || gvk.Version == runtime.APIVersionInternal {
+			continue
+		}
+		obj.GetObjectKind().SetGroupVersionKind(gvk)
+		break
+	}
+
+	return p.Delegate.PrintObj(obj, w)
+}
+
+// ToPrinter returns a printer (not threadsafe!) that has been wrapped
+func (p *TypeSetterPrinter) ToPrinter(delegate ResourcePrinter) ResourcePrinter {
+	if p == nil {
+		return delegate
+	}
+
+	p.Delegate = delegate
+	return p
+}
+
+// WrapToPrinter wraps the common ToPrinter method
+func (p *TypeSetterPrinter) WrapToPrinter(delegate ResourcePrinter, err error) (ResourcePrinter, error) {
+	if err != nil {
+		return delegate, err
+	}
+	if p == nil {
+		return delegate, nil
+	}
+
+	p.Delegate = delegate
+	return p, nil
+}
@@ -0,0 +1,55 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"fmt"
+	"io"
+)
+
+const (
+	yellowColor = "\u001b[33;1m"
+	resetColor  = "\u001b[0m"
+)
+
+type WarningPrinter struct {
+	// out is the writer to output warnings to
+	out io.Writer
+	// opts contains options controlling warning output
+	opts WarningPrinterOptions
+}
+
+// WarningPrinterOptions controls the behavior of a WarningPrinter constructed using NewWarningPrinter()
+type WarningPrinterOptions struct {
+	// Color indicates that warning output can include ANSI color codes
+	Color bool
+}
+
+// NewWarningPrinter returns an implementation of warningPrinter that outputs warnings to the specified writer.
+func NewWarningPrinter(out io.Writer, opts WarningPrinterOptions) *WarningPrinter {
+	h := &WarningPrinter{out: out, opts: opts}
+	return h
+}
+
+// Print prints warnings to the configured writer.
+func (w *WarningPrinter) Print(message string) {
+	if w.opts.Color {
+		fmt.Fprintf(w.out, "%sWarning:%s %s\n", yellowColor, resetColor, message)
+	} else {
+		fmt.Fprintf(w.out, "Warning: %s\n", message)
+	}
+}
@@ -0,0 +1,86 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"reflect"
+	"sync/atomic"
+
+	"sigs.k8s.io/yaml"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// YAMLPrinter is an implementation of ResourcePrinter which outputs an object as YAML.
+// The input object is assumed to be in the internal version of an API and is converted
+// to the given version first.
+// If PrintObj() is called multiple times, objects are separated with a '---' separator.
+type YAMLPrinter struct {
+	printCount int64
+}
+
+// PrintObj prints the data as YAML.
+func (p *YAMLPrinter) PrintObj(obj runtime.Object, w io.Writer) error {
+	// we use reflect.Indirect here in order to obtain the actual value from a pointer.
+	// we need an actual value in order to retrieve the package path for an object.
+	// using reflect.Indirect indiscriminately is valid here, as all runtime.Objects are supposed to be pointers.
+	if InternalObjectPreventer.IsForbidden(reflect.Indirect(reflect.ValueOf(obj)).Type().PkgPath()) {
+		return errors.New(InternalObjectPrinterErr)
+	}
+
+	count := atomic.AddInt64(&p.printCount, 1)
+	if count > 1 {
+		if _, err := w.Write([]byte("---\n")); err != nil {
+			return err
+		}
+	}
+
+	switch obj := obj.(type) {
+	case *metav1.WatchEvent:
+		if InternalObjectPreventer.IsForbidden(reflect.Indirect(reflect.ValueOf(obj.Object.Object)).Type().PkgPath()) {
+			return errors.New(InternalObjectPrinterErr)
+		}
+		data, err := yaml.Marshal(obj)
+		if err != nil {
+			return err
+		}
+		_, err = w.Write(data)
+		return err
+	case *runtime.Unknown:
+		data, err := yaml.JSONToYAML(obj.Raw)
+		if err != nil {
+			return err
+		}
+		_, err = w.Write(data)
+		return err
+	}
+
+	if obj.GetObjectKind().GroupVersionKind().Empty() {
+		return fmt.Errorf("missing apiVersion or kind; try GetObjectKind().SetGroupVersionKind() if you know the type")
+	}
+
+	output, err := yaml.Marshal(obj)
+	if err != nil {
+		return err
+	}
+	_, err = fmt.Fprint(w, string(output))
+	return err
+}
@@ -0,0 +1,69 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/rest"
+)
+
+// TODO require negotiatedSerializer.  leaving it optional lets us plumb current behavior and deal with the difference after major plumbing is complete
+func (clientConfigFn ClientConfigFunc) clientForGroupVersion(gv schema.GroupVersion, negotiatedSerializer runtime.NegotiatedSerializer) (RESTClient, error) {
+	cfg, err := clientConfigFn()
+	if err != nil {
+		return nil, err
+	}
+	if negotiatedSerializer != nil {
+		cfg.ContentConfig.NegotiatedSerializer = negotiatedSerializer
+	}
+	cfg.GroupVersion = &gv
+	if len(gv.Group) == 0 {
+		cfg.APIPath = "/api"
+	} else {
+		cfg.APIPath = "/apis"
+	}
+
+	return rest.RESTClientFor(cfg)
+}
+
+func (clientConfigFn ClientConfigFunc) unstructuredClientForGroupVersion(gv schema.GroupVersion) (RESTClient, error) {
+	cfg, err := clientConfigFn()
+	if err != nil {
+		return nil, err
+	}
+	cfg.ContentConfig = UnstructuredPlusDefaultContentConfig()
+	cfg.GroupVersion = &gv
+	if len(gv.Group) == 0 {
+		cfg.APIPath = "/api"
+	} else {
+		cfg.APIPath = "/apis"
+	}
+
+	return rest.RESTClientFor(cfg)
+}
+
+func (clientConfigFn ClientConfigFunc) withStdinUnavailable(stdinUnavailable bool) ClientConfigFunc {
+	return func() (*rest.Config, error) {
+		cfg, err := clientConfigFn()
+		if stdinUnavailable && cfg != nil && cfg.ExecProvider != nil {
+			cfg.ExecProvider.StdinUnavailable = stdinUnavailable
+			cfg.ExecProvider.StdinUnavailableMessage = "used by stdin resource manifest reader"
+		}
+		return cfg, err
+	}
+}
@@ -0,0 +1,110 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/dynamic"
+)
+
+// CRDGetter is a function that can download the list of GVK for all
+// CRDs.
+type CRDGetter func() ([]schema.GroupKind, error)
+
+func CRDFromDynamic(client dynamic.Interface) CRDGetter {
+	return func() ([]schema.GroupKind, error) {
+		list, err := client.Resource(schema.GroupVersionResource{
+			Group:    "apiextensions.k8s.io",
+			Version:  "v1",
+			Resource: "customresourcedefinitions",
+		}).List(context.TODO(), metav1.ListOptions{})
+		if err != nil {
+			return nil, fmt.Errorf("failed to list CRDs: %v", err)
+		}
+		if list == nil {
+			return nil, nil
+		}
+
+		gks := []schema.GroupKind{}
+
+		// We need to parse the list to get the gvk, I guess that's fine.
+		for _, crd := range (*list).Items {
+			// Look for group, version, and kind
+			group, _, _ := unstructured.NestedString(crd.Object, "spec", "group")
+			kind, _, _ := unstructured.NestedString(crd.Object, "spec", "names", "kind")
+
+			gks = append(gks, schema.GroupKind{
+				Group: group,
+				Kind:  kind,
+			})
+		}
+
+		return gks, nil
+	}
+}
+
+// CRDFinder keeps a cache of known CRDs and finds a given GVK in the
+// list.
+type CRDFinder interface {
+	HasCRD(gvk schema.GroupKind) (bool, error)
+}
+
+func NewCRDFinder(getter CRDGetter) CRDFinder {
+	return &crdFinder{
+		getter: getter,
+	}
+}
+
+type crdFinder struct {
+	getter CRDGetter
+	cache  *[]schema.GroupKind
+}
+
+func (f *crdFinder) cacheCRDs() error {
+	if f.cache != nil {
+		return nil
+	}
+
+	list, err := f.getter()
+	if err != nil {
+		return err
+	}
+	f.cache = &list
+	return nil
+}
+
+func (f *crdFinder) findCRD(gvk schema.GroupKind) bool {
+	for _, crd := range *f.cache {
+		if reflect.DeepEqual(gvk, crd) {
+			return true
+		}
+	}
+	return false
+}
+
+func (f *crdFinder) HasCRD(gvk schema.GroupKind) (bool, error) {
+	if err := f.cacheCRDs(); err != nil {
+		return false, err
+	}
+	return f.findCRD(gvk), nil
+}
@@ -0,0 +1,24 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package resource assists clients in dealing with RESTful objects that match the
+// Kubernetes API conventions. The Helper object provides simple CRUD operations
+// on resources. The Visitor interface makes it easy to deal with multiple resources
+// in bulk for retrieval and operation. The Builder object simplifies converting
+// standard command line arguments and parameters into a Visitor that can iterate
+// over all of the identified resources, whether on the server or on the local
+// filesystem.
+package resource
@@ -0,0 +1,40 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/restmapper"
+)
+
+// FakeCategoryExpander is for testing only
+var FakeCategoryExpander restmapper.CategoryExpander = restmapper.SimpleCategoryExpander{
+	Expansions: map[string][]schema.GroupResource{
+		"all": {
+			{Group: "", Resource: "pods"},
+			{Group: "", Resource: "replicationcontrollers"},
+			{Group: "", Resource: "services"},
+			{Group: "apps", Resource: "statefulsets"},
+			{Group: "autoscaling", Resource: "horizontalpodautoscalers"},
+			{Group: "batch", Resource: "jobs"},
+			{Group: "batch", Resource: "cronjobs"},
+			{Group: "extensions", Resource: "daemonsets"},
+			{Group: "extensions", Resource: "deployments"},
+			{Group: "extensions", Resource: "replicasets"},
+		},
+	},
+}
@@ -0,0 +1,59 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/klog/v2"
+)
+
+// fallbackQueryParamVerifier encapsulates the primary Verifier that
+// is invoked, and the secondary/fallback Verifier.
+type fallbackQueryParamVerifier struct {
+	primary   Verifier
+	secondary Verifier
+}
+
+var _ Verifier = &fallbackQueryParamVerifier{}
+
+// NewFallbackQueryParamVerifier returns a new Verifier which will invoke the
+// initial/primary Verifier. If the primary Verifier is "NotFound", then the
+// secondary Verifier is invoked as a fallback.
+func NewFallbackQueryParamVerifier(primary Verifier, secondary Verifier) Verifier {
+	return &fallbackQueryParamVerifier{
+		primary:   primary,
+		secondary: secondary,
+	}
+}
+
+// HasSupport returns an error if the passed GVK does not support the
+// query param (fieldValidation), as determined by the primary and
+// secondary OpenAPI endpoints. The primary endoint is checked first,
+// but if there is an error retrieving the OpenAPI V3 document, the
+// secondary attempts to determine support. If the GVK supports the query param,
+// nil is returned.
+func (f *fallbackQueryParamVerifier) HasSupport(gvk schema.GroupVersionKind) error {
+	err := f.primary.HasSupport(gvk)
+	// If an error was returned from the primary OpenAPI endpoint,
+	// we fallback to check the secondary OpenAPI endpoint for
+	// any error *except* "paramUnsupportedError".
+	if err != nil && !IsParamUnsupportedError(err) {
+		klog.V(7).Infof("openapi v3 error...falling back to legacy: %s", err)
+		err = f.secondary.HasSupport(gvk)
+	}
+	return err
+}
@@ -0,0 +1,321 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"context"
+	"fmt"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/watch"
+)
+
+var metadataAccessor = meta.NewAccessor()
+
+// Helper provides methods for retrieving or mutating a RESTful
+// resource.
+type Helper struct {
+	// The name of this resource as the server would recognize it
+	Resource string
+	// The name of the subresource as the server would recognize it
+	Subresource string
+	// A RESTClient capable of mutating this resource.
+	RESTClient RESTClient
+	// True if the resource type is scoped to namespaces
+	NamespaceScoped bool
+	// If true, then use server-side dry-run to not persist changes to storage
+	// for verbs and resources that support server-side dry-run.
+	//
+	// Note this should only be used against an apiserver with dry-run enabled,
+	// and on resources that support dry-run. If the apiserver or the resource
+	// does not support dry-run, then the change will be persisted to storage.
+	ServerDryRun bool
+
+	// FieldManager is the name associated with the actor or entity that is making
+	// changes.
+	FieldManager string
+
+	// FieldValidation is the directive used to indicate how the server should perform
+	// field validation (Ignore, Warn, or Strict)
+	FieldValidation string
+}
+
+// NewHelper creates a Helper from a ResourceMapping
+func NewHelper(client RESTClient, mapping *meta.RESTMapping) *Helper {
+	return &Helper{
+		Resource:        mapping.Resource.Resource,
+		RESTClient:      client,
+		NamespaceScoped: mapping.Scope.Name() == meta.RESTScopeNameNamespace,
+	}
+}
+
+// DryRun, if true, will use server-side dry-run to not persist changes to storage.
+// Otherwise, changes will be persisted to storage.
+func (m *Helper) DryRun(dryRun bool) *Helper {
+	m.ServerDryRun = dryRun
+	return m
+}
+
+// WithFieldManager sets the field manager option to indicate the actor or entity
+// that is making changes in a create or update operation.
+func (m *Helper) WithFieldManager(fieldManager string) *Helper {
+	m.FieldManager = fieldManager
+	return m
+}
+
+// WithFieldValidation sets the field validation option to indicate
+// how the server should perform field validation (Ignore, Warn, or Strict).
+func (m *Helper) WithFieldValidation(validationDirective string) *Helper {
+	m.FieldValidation = validationDirective
+	return m
+}
+
+// Subresource sets the helper to access (<resource>/[ns/<namespace>/]<name>/<subresource>)
+func (m *Helper) WithSubresource(subresource string) *Helper {
+	m.Subresource = subresource
+	return m
+}
+
+func (m *Helper) Get(namespace, name string) (runtime.Object, error) {
+	req := m.RESTClient.Get().
+		NamespaceIfScoped(namespace, m.NamespaceScoped).
+		Resource(m.Resource).
+		Name(name).
+		SubResource(m.Subresource)
+	return req.Do(context.TODO()).Get()
+}
+
+func (m *Helper) List(namespace, apiVersion string, options *metav1.ListOptions) (runtime.Object, error) {
+	req := m.RESTClient.Get().
+		NamespaceIfScoped(namespace, m.NamespaceScoped).
+		Resource(m.Resource).
+		VersionedParams(options, metav1.ParameterCodec)
+	return req.Do(context.TODO()).Get()
+}
+
+// FollowContinue handles the continue parameter returned by the API server when using list
+// chunking. To take advantage of this, the initial ListOptions provided by the consumer
+// should include a non-zero Limit parameter.
+func FollowContinue(initialOpts *metav1.ListOptions,
+	listFunc func(metav1.ListOptions) (runtime.Object, error)) error {
+	opts := initialOpts
+	for {
+		list, err := listFunc(*opts)
+		if err != nil {
+			return err
+		}
+		nextContinueToken, _ := metadataAccessor.Continue(list)
+		if len(nextContinueToken) == 0 {
+			return nil
+		}
+		opts.Continue = nextContinueToken
+	}
+}
+
+// EnhanceListError augments errors typically returned by List operations with additional context,
+// making sure to retain the StatusError type when applicable.
+func EnhanceListError(err error, opts metav1.ListOptions, subj string) error {
+	if apierrors.IsResourceExpired(err) {
+		return err
+	}
+	if apierrors.IsBadRequest(err) || apierrors.IsNotFound(err) {
+		if se, ok := err.(*apierrors.StatusError); ok {
+			// modify the message without hiding this is an API error
+			if len(opts.LabelSelector) == 0 && len(opts.FieldSelector) == 0 {
+				se.ErrStatus.Message = fmt.Sprintf("Unable to list %q: %v", subj,
+					se.ErrStatus.Message)
+			} else {
+				se.ErrStatus.Message = fmt.Sprintf(
+					"Unable to find %q that match label selector %q, field selector %q: %v", subj,
+					opts.LabelSelector,
+					opts.FieldSelector, se.ErrStatus.Message)
+			}
+			return se
+		}
+		if len(opts.LabelSelector) == 0 && len(opts.FieldSelector) == 0 {
+			return fmt.Errorf("Unable to list %q: %v", subj, err)
+		}
+		return fmt.Errorf("Unable to find %q that match label selector %q, field selector %q: %v",
+			subj, opts.LabelSelector, opts.FieldSelector, err)
+	}
+	return err
+}
+
+func (m *Helper) Watch(namespace, apiVersion string, options *metav1.ListOptions) (watch.Interface, error) {
+	options.Watch = true
+	return m.RESTClient.Get().
+		NamespaceIfScoped(namespace, m.NamespaceScoped).
+		Resource(m.Resource).
+		VersionedParams(options, metav1.ParameterCodec).
+		Watch(context.TODO())
+}
+
+func (m *Helper) WatchSingle(namespace, name, resourceVersion string) (watch.Interface, error) {
+	return m.RESTClient.Get().
+		NamespaceIfScoped(namespace, m.NamespaceScoped).
+		Resource(m.Resource).
+		VersionedParams(&metav1.ListOptions{
+			ResourceVersion: resourceVersion,
+			Watch:           true,
+			FieldSelector:   fields.OneTermEqualSelector("metadata.name", name).String(),
+		}, metav1.ParameterCodec).
+		Watch(context.TODO())
+}
+
+func (m *Helper) Delete(namespace, name string) (runtime.Object, error) {
+	return m.DeleteWithOptions(namespace, name, nil)
+}
+
+func (m *Helper) DeleteWithOptions(namespace, name string, options *metav1.DeleteOptions) (runtime.Object, error) {
+	if options == nil {
+		options = &metav1.DeleteOptions{}
+	}
+	if m.ServerDryRun {
+		options.DryRun = []string{metav1.DryRunAll}
+	}
+
+	return m.RESTClient.Delete().
+		NamespaceIfScoped(namespace, m.NamespaceScoped).
+		Resource(m.Resource).
+		Name(name).
+		Body(options).
+		Do(context.TODO()).
+		Get()
+}
+
+func (m *Helper) Create(namespace string, modify bool, obj runtime.Object) (runtime.Object, error) {
+	return m.CreateWithOptions(namespace, modify, obj, nil)
+}
+
+func (m *Helper) CreateWithOptions(namespace string, modify bool, obj runtime.Object, options *metav1.CreateOptions) (runtime.Object, error) {
+	if options == nil {
+		options = &metav1.CreateOptions{}
+	}
+	if m.ServerDryRun {
+		options.DryRun = []string{metav1.DryRunAll}
+	}
+	if m.FieldManager != "" {
+		options.FieldManager = m.FieldManager
+	}
+	if m.FieldValidation != "" {
+		options.FieldValidation = m.FieldValidation
+	}
+	if modify {
+		// Attempt to version the object based on client logic.
+		version, err := metadataAccessor.ResourceVersion(obj)
+		if err != nil {
+			// We don't know how to clear the version on this object, so send it to the server as is
+			return m.createResource(m.RESTClient, m.Resource, namespace, obj, options)
+		}
+		if version != "" {
+			if err := metadataAccessor.SetResourceVersion(obj, ""); err != nil {
+				return nil, err
+			}
+		}
+	}
+
+	return m.createResource(m.RESTClient, m.Resource, namespace, obj, options)
+}
+
+func (m *Helper) createResource(c RESTClient, resource, namespace string, obj runtime.Object, options *metav1.CreateOptions) (runtime.Object, error) {
+	return c.Post().
+		NamespaceIfScoped(namespace, m.NamespaceScoped).
+		Resource(resource).
+		VersionedParams(options, metav1.ParameterCodec).
+		Body(obj).
+		Do(context.TODO()).
+		Get()
+}
+func (m *Helper) Patch(namespace, name string, pt types.PatchType, data []byte, options *metav1.PatchOptions) (runtime.Object, error) {
+	if options == nil {
+		options = &metav1.PatchOptions{}
+	}
+	if m.ServerDryRun {
+		options.DryRun = []string{metav1.DryRunAll}
+	}
+	if m.FieldManager != "" {
+		options.FieldManager = m.FieldManager
+	}
+	if m.FieldValidation != "" {
+		options.FieldValidation = m.FieldValidation
+	}
+	return m.RESTClient.Patch(pt).
+		NamespaceIfScoped(namespace, m.NamespaceScoped).
+		Resource(m.Resource).
+		Name(name).
+		SubResource(m.Subresource).
+		VersionedParams(options, metav1.ParameterCodec).
+		Body(data).
+		Do(context.TODO()).
+		Get()
+}
+
+func (m *Helper) Replace(namespace, name string, overwrite bool, obj runtime.Object) (runtime.Object, error) {
+	c := m.RESTClient
+	var options = &metav1.UpdateOptions{}
+	if m.ServerDryRun {
+		options.DryRun = []string{metav1.DryRunAll}
+	}
+	if m.FieldManager != "" {
+		options.FieldManager = m.FieldManager
+	}
+	if m.FieldValidation != "" {
+		options.FieldValidation = m.FieldValidation
+	}
+
+	// Attempt to version the object based on client logic.
+	version, err := metadataAccessor.ResourceVersion(obj)
+	if err != nil {
+		// We don't know how to version this object, so send it to the server as is
+		return m.replaceResource(c, m.Resource, namespace, name, obj, options)
+	}
+	if version == "" && overwrite {
+		// Retrieve the current version of the object to overwrite the server object
+		serverObj, err := c.Get().NamespaceIfScoped(namespace, m.NamespaceScoped).Resource(m.Resource).Name(name).SubResource(m.Subresource).Do(context.TODO()).Get()
+		if err != nil {
+			// The object does not exist, but we want it to be created
+			return m.replaceResource(c, m.Resource, namespace, name, obj, options)
+		}
+		serverVersion, err := metadataAccessor.ResourceVersion(serverObj)
+		if err != nil {
+			return nil, err
+		}
+		if err := metadataAccessor.SetResourceVersion(obj, serverVersion); err != nil {
+			return nil, err
+		}
+	}
+
+	return m.replaceResource(c, m.Resource, namespace, name, obj, options)
+}
+
+func (m *Helper) replaceResource(c RESTClient, resource, namespace, name string, obj runtime.Object, options *metav1.UpdateOptions) (runtime.Object, error) {
+	return c.Put().
+		NamespaceIfScoped(namespace, m.NamespaceScoped).
+		Resource(resource).
+		Name(name).
+		SubResource(m.Subresource).
+		VersionedParams(options, metav1.ParameterCodec).
+		Body(obj).
+		Do(context.TODO()).
+		Get()
+}
@@ -0,0 +1,103 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/restmapper"
+)
+
+type RESTClientGetter interface {
+	ToRESTConfig() (*rest.Config, error)
+	ToDiscoveryClient() (discovery.CachedDiscoveryInterface, error)
+	ToRESTMapper() (meta.RESTMapper, error)
+}
+
+type ClientConfigFunc func() (*rest.Config, error)
+type RESTMapperFunc func() (meta.RESTMapper, error)
+type CategoryExpanderFunc func() (restmapper.CategoryExpander, error)
+
+// RESTClient is a client helper for dealing with RESTful resources
+// in a generic way.
+type RESTClient interface {
+	Get() *rest.Request
+	Post() *rest.Request
+	Patch(types.PatchType) *rest.Request
+	Delete() *rest.Request
+	Put() *rest.Request
+}
+
+// RequestTransform is a function that is given a chance to modify the outgoing request.
+type RequestTransform func(*rest.Request)
+
+// NewClientWithOptions wraps the provided RESTClient and invokes each transform on each
+// newly created request.
+func NewClientWithOptions(c RESTClient, transforms ...RequestTransform) RESTClient {
+	if len(transforms) == 0 {
+		return c
+	}
+	return &clientOptions{c: c, transforms: transforms}
+}
+
+type clientOptions struct {
+	c          RESTClient
+	transforms []RequestTransform
+}
+
+func (c *clientOptions) modify(req *rest.Request) *rest.Request {
+	for _, transform := range c.transforms {
+		transform(req)
+	}
+	return req
+}
+
+func (c *clientOptions) Get() *rest.Request {
+	return c.modify(c.c.Get())
+}
+
+func (c *clientOptions) Post() *rest.Request {
+	return c.modify(c.c.Post())
+}
+func (c *clientOptions) Patch(t types.PatchType) *rest.Request {
+	return c.modify(c.c.Patch(t))
+}
+func (c *clientOptions) Delete() *rest.Request {
+	return c.modify(c.c.Delete())
+}
+func (c *clientOptions) Put() *rest.Request {
+	return c.modify(c.c.Put())
+}
+
+// ContentValidator is an interface that knows how to validate an API object serialized to a byte array.
+type ContentValidator interface {
+	ValidateBytes(data []byte) error
+}
+
+// Visitor lets clients walk a list of resources.
+type Visitor interface {
+	Visit(VisitorFunc) error
+}
+
+// VisitorFunc implements the Visitor interface for a matching function.
+// If there was a problem walking a list of resources, the incoming error
+// will describe the problem and the function can decide how to handle that error.
+// A nil returned indicates to accept an error to continue loops even when errors happen.
+// This is useful for ignoring certain kinds of errors or aggregating errors in some way.
+type VisitorFunc func(*Info, error) error
--- a/Show More
+++ b/Show More